OWASP - User contributions [en]

Italy

2015-05-16T21:37:35Z

Luca Carettoni: /* WordPress */

<center>[[Image:OWASP-Italy.PNG]] </center>

==== WELCOME ====

{{Chapter Template|chaptername=Italy|extra=The chapter leader is [mailto:matteo.meucci@gmail.com Matteo Meucci]|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-italy|emailarchives=http://lists.owasp.org/pipermail/owasp-italy}}

<paypal>Italy</paypal>
 

== Adopt OSS. First Edition ==

OWASP Italy is pleased to announce a new initiative: '''Adopt''' '''O'''pen'''S'''ource'''S'''oftware 

Given OWASP’s mission to help organizations with application security, we have established a new initiative to provide free, voluntary-based support to open source software projects. 

Thanks to Adopt OSS, security enthusiasts are paired with participating open source projects, thus gaining exposure to real-life security engineering challenges and the opportunity for career growth. In turn, the participating projects are able to obtain free professional expertise to better improve their security posture, and ultimately build secure software. Over a six months period, OWASP Italy will facilitate the effort by coordinating the initiative and providing support when needed. 

The first edition of this initiative will take place between ''May and November 2015'', and will see the participation of '''7 OWASP Italy members''' and '''3 major OpenSource projects'''. At the end of the six months period, OWASP Italy will publish results and feedback from both volunteers and OSS maintainers. 

The official flyer can be [https://www.owasp.org/images/0/07/AdoptOSSManifest-OWASPItaly.pdf downloaded from here].

===Ntopng===
''Alessio Petracca, Mattia Folador'' 

[http://www.ntop.org/products/traffic-analysis/ntop/ Ntop] is the de-facto standard for real-time network traffic monitoring. OWASP Italy wants to help the project by increasing the security level of ntopng, performing security testing activities and supporting the remediation process. 

We will act in two steps:
* First, a penetration test targeting the web interface of ntopng will be performed, following the [https://www.owasp.org/index.php/OWASP_Testing_Guide_v3_Table_of_Contents OWASP Testing Methodology]
* Secondly, source code review of ntopng main components (such as the C++ core engine) will be statically reviewed. The objective is to address all relevant checks contained within the [https://www.owasp.org/index.php/OWASP_Code_review_V2_Table_of_Contents OWASP Code Review Guide]

In case the activities above are completed before the end of the six-months period, additional activities (such as the development of security plugins) will be discussed.
Luca Deri and Arianna Avanzini will support Alessio Petracca and Mattia Folador in these activities, by providing guidance and insights.

===WordPress===
''Paolo Perego, Sandro Zaccarini'' 

[https://wordpress.org/ WordPress] is the facto standard for web publishing. If you need a blog, if you need a new showcase website for your portfolio or a tiny e-commerce web site for your small company you will look at WordPress to start. 

Paying the cost to be the boss, WordPress during the years suffered tons of security issues, 3 major issues only in the beginning of May 2015. Either the core, plugins and themes are developed with easy to use in mind and they need to be hardened. 

OWASP Italy wants to support WordPress adopting it with the "Stand by WordPress" initiative. We will deploy the software in three different standard configurations: blog, company's portfolio and e-commerce. 

We will do continuous appsec during development of 4.3 version in order to quickly spot security issues before the August release. In addition, we will take care of hardening guidelines and both plugins and themes subsystems in order to improve the overall architecture. 

You can follow the progress of the "Stand by WordPress" initiative here: [https://standbywordpress.wordpress.com https://standbywordpress.wordpress.com]

===GlobaLeaks===
''Luca Carettoni, Giovanni Cerrato, Marco Lancini''

[https://www.globaleaks.org/ GlobaLeaks] is the first open-source whistleblowing framework. It empowers anyone to easily set up and maintain an anonymous whistleblowing platform. 

Considering the potential hostile environments in which the application may be hosted, security vulnerabilities and abuses are primary concerns for GlobaLeaks’ maintainers. 

We want to help the team in their excellent application security practices, by performing vulnerability research activities in order to discover unknown bugs within the boundaries of their specific [https://docs.google.com/document/d/1niYFyEar1FUmStC03OidYAIfVJf18ErUFwSWCmWBhcA/pub threat model]. In particular, we will be focusing on two main software components (GLBackend and GLClient) and new security-relevant changes (upcoming authentication re-factoring and end-to-end encryption). 

For more information on '''Adopt OSS''', please send an email to [mailto:owasp-italy@lists.owasp.org owasp-italy@lists.owasp.org]
 

== OWASP-Isaca Conference @ Rome 11-12th December 2014 ==
The agenda is online! 
http://www.isacaroma.it/images/owasp_agenda_11-12-12-2014.JPG

 

== OWASP-Isaca Conference @ Venice 3rd October 2014 ==
The agenda: 
[[File:Venice2014.jpg]]
 
Here is the [https://www.owasp.org/images/d/d3/OWASPVenice2014.pdf flyer]

== OWASP-Italy Day @ the University of Genova (14th May 2014) ==
Thank to the collaboration with [http://www.ai-lab.it/armando Prof. Alessandro Armando] and to the availability of Gary McGraw, Ph.D. CTO, Cigital we are planning an incredible [https://www.owasp.org/index.php/Italy_OWASP_Day_2014_Genova OWASP Day next 14th May].
 

 
== OWASP Italy @ Security Summit 2014 ==
OWASP Italy participated to the Security Summit 2014 in Milan with 3 talks. 
[https://www.securitysummit.it/milano-2014/seminari-associazioni/talk-34/ See here for all the details] 
 

== OWASP EU Tour 2013 - 27th June - Rome==

<noinclude>{{:EUTour2013 header}}</noinclude>

Thanks to the collaboration with Università Degli Studi Roma Tre, next 27th June we will have the OWASP EU Tour Rome Conference. 
OWASP Europe TOUR, is an event across the European region that promotes awareness about application security, so that people and organizations can make informed decisions about true application security risks. Everyone is free to participate in OWASP and all of our materials are available under a free and open software license.

The conference will be held at Università Degli Studi Roma Tre. Address: Via Vito Volterra, 62, Rome.

[https://www.owasp.org/index.php/EUTour2013_Rome_Agenda Here you can find the agenda and all the information to participate]

== OWASP Italy @ Security Summit 2013 ==

OWASP Italy participated to the Security Summit 2013 in Milan with 2 talks. 
[http://milano2013.securitysummit.it/eventi/view/35 See here for all the details] 

== OWASP Italy Day 2012: "Web Security in a Mobile World" ==

<center>[[File:OWASPITDay2012.jpg]] </center>

We are pleased to announce that the [http://www.owasp.org/index.php/Italy OWASP Italy chapter] will host the OWASP Italy Day 2012 conference in Rome, Italy at the University of Rome La Sapienza next 23rd November 2012.

More information [https://www.owasp.org/index.php?title=Italy_OWASP_Day_2012 here]

== OWASP-Italy Board ==

*This is the '''OWASP-Italy Board''':
Founder and Chair: Matteo Meucci (Jan 2005) 
OWASP Italy Board: Paolo Perego, Luca Carettoni, Antonio Parata, Giorgio Fedon, Stefano Di Paola, Mauro Bregolin, Claudio Merloni, Raoul Chiesa.

==== Partnerships ====

*ISC2-Italian Chapter: Thanks to Marco Misitano, Paolo Ottolino and Claudio Sasso, OWASP Italy collaborates with the ISC2-Italian Chapter for new initiatives regarding Security Conferences, articles and contentes regarding SDLC.

[http://www.isc2chapter-italy.it https://www.owasp.org/images/a/a3/ISC2Italy.jpg]

*CSA Italy Partnership

[http://chapters.cloudsecurityalliance.org/italy/ https://www.owasp.org/images/6/6a/CSAItalylogo.gif]

Thanks to Alberto Manfredi (CSA Italy President) we are starting a collaboration with the Italian Chapter of the Cloud Security Alliance.

*IsecLab Partnership

[http://www.iseclab.org http://www.owasp.org/images/4/4b/LogoIsecLab.png]

We are beginning a collaboration with David Balzarotti and Marco Balduzzi of International Secure Systems Lab(IsecLab) with the goal of sharing and improving new WebAppSec projects. 

*CLUSIT Member

http://www.clusit.it/logo_clusit/clusit_logo_b130.gif

Thanks to CLUSIT and OWASP Foundation we have established a cross-membership between the two organizations. So OWASP-Italy is now a [http://www.clusit.it/soci.htm CLUSIT member] and CLUSIT is an OWASP Educational Member.

*ISACA Rome

[http://www.isacaroma.it http://www.owasp.org/images/9/98/Isacaroma.gif]

Thanks to Ugo Spaziani, we are developing seminars and new ideas with ISACA Rome. 

==== News ====

== Security Summit 2012 ==
- 21st March 2012, OWASP Italy will present 3 talks:

- Antonio Parata e Paolo Perego:"Security Testing for developers" 
- Giorgio Fedon: "Banking Malware evolution in Italy: defense approach" 
- Stefano Di Paola:"DOM Xss: la nuova generazione di vulnerabilità applicative" 
Please subscribe for free here: https://www.securitysummit.it/eventi/view/21

== Security Summit 2011 ==
- 15th March 2011, OWASP-Italy presented a seminar about OWASP news. 
Here you can download the presentations: 
- Matteo Meucci: "[http://www.owasp.org/images/5/51/Security_Summit_2011_-_Meucci.pdf OWASP Future and the OWASP Guidelines: how your company can adopt it to obtain best results]" 
- Paolo Perego: "[http://www.owasp.org/images/2/20/I_tool_OWASP_per_la_sicurezza_del_software_20110315.pdf OWASP tools for the Software Security]" 
- Giorgio Fedon: "[http://www.owasp.org/images/a/a0/Owasp_at_Security_Summit_2011_-_Mythbreaking_Automatic_Code_review_Tools.pdf Myth Busting Automatic Code Review tools]" 
More information here: https://www.securitysummit.it/eventi/view/24

'''OWASP Books are out!'''

Now you can download or buy a book on the OWASP Projects. Check it here: http://stores.lulu.com/owasp

==== Activities ====

*(Jun 10): OWASP Testing Guide presentation at FBK (Fondazione Bruno Kessler).

*(May 10): OWASP Training at London: last 28th May in London, OWASP leaders deliver a course focused on the main OWASP Projects. This course aims to change that by providing a selection of mature and enterprise ready projects together with practical examples of how to use them.
This Course was FREE for OWASP Members.
http://www.owasp.org/index.php/London/Training/OWASP_projects_and_resources_you_can_use_TODAY

*(Jan 09) OWASP Testing Guide v3 is finished! You can download or browse it [http://www.owasp.org/index.php/Category:OWASP_Testing_Project here]

*(Mar 07) Luca Carettoni has published an interview to OWASP-Italy (OWASP interviews OWASP :) )

[http://blog.html.it/archivi/2007/02/26/quattro-chiacchiere-con-owasp-italia.php Here] the full article.

*(Oct 06) ISACA Roma has published several interview with OWASP-Italy members:

[[http://www.isacaroma.it/html/newsletter/node/276 Matteo Meucci]] [[http://www.isacaroma.it/html/newsletter/node/287 Alberto Revelli]] [[http://www.isacaroma.it/html/newsletter/node/282 Antonio Parata]] [[http://www.isacaroma.it/html/newsletter/node/285 Paolo Perego]] [[http://www.isacaroma.it/html/newsletter/node/328 Carlo Pelliccioni]] 

*(Sep 06) Paolo Perego has created the new '''OWASP Orizon Project'''. Go to [http://www.owasp.org/index.php/Category:OWASP_Orizon_Project OWASP Orizon Project] 

*(Sep 06) Matteo Meucci has been selected as the new editor of the '''OWASP Testing Guide v2'''. See OWASP [http://www.owasp.org/index.php/OWASP_Autumn_Of_Code_2006_:_Selected_Projects_Press_Release press release] and go to [http://www.owasp.org/index.php/OWASP_Autumn_of_Code_2006_-_Projects:_Testing_Guide OWASP Testing Project v2]

*(Sep 06) Carlo Pelliccioni is writing an article about the [http://www.owasp.org/index.php/Analysis_about_error_codes analysis of error codes] received by web servers.

*Top10 Vulnerabilities - OWASP-Italy survey:

[[Image:Top 10 vulnerabilities-mini.GIF]]

*(21 Jun 06) '''Infosecurity 2006''': the event is organized and managed by the CLUSIT.

Alberto Revelli and Matteo Meucci will partecipate as speakers at the seminar: "Web Application Security: guidelines and security auditing for web applications". [http://www.infosecurity.it/Roma/programma.php More info here]

*(1 Jun 06) '''"Quaderno CLUSIT"'''

CLUSIT has published a book entitled: "La verifica della sicurezza di applicazioni Web-based e il progetto OWASP". Several OWASP-Italy members (R.Chiesa, L.De Santis, M.Graziani, L.Legato, M.Meucci, A.Revelli) have contributed to the writing. The document is now reserved to CLUSIT members, but will be made public in about 3 months.

*(31 May 06) Luca Carettoni has published the article '''"La sicurezza delle applicazioni Web secondo l'Open Web Application Security Project".''' [http://sicurezza.html.it/articoli/leggi/1721/la-sicurezza-delle-applicazioni-web-secondo-lopen-/ Here]you can read the full article.

*(1 Mar 06) '''OWASP-Boston, Microsoft'''

Thanks to Jim Weiler, Matteo Meucci has presented "Anatomy of two web attacks" at the OWASP-Boston meeting. [http://www.owasp.org/local/boston.html More info here]

*(18 Nov 05) '''IDC - European Banking Forum'''

Thanks to Raoul Chiesa (Director of Communication OWASP-Italy), we will have a great speech at the [http://www.idc.com/italy/events/banking05/banking05_agenda.jsp IDC European IT Banking Forum 2005]. Agenda: - New standards for the ICT security auditing in the italian banking scenario: OSSTMM and OWASP. Raoul Chiesa, Director of Communications, ISECOM/OWASP-Italy and Matteo Meucci, OWASP-Italy Chair - Workshop: unusual form of attacks and banking system violation: live experience. Raoul Chiesa, Director of Communications, ISECOM/OWASP-Italy

*(Oct 05) '''SMAU 2005''' is the 42a International ICT & Consumer Electronics Exhibition for Italy.

SMAU has accepted our submission! [http://www.webb.it/event/eventview/4488/1/progetto_owasp__case_study_di_applicativi_web_vulnerabili More info here]

*(Giu 05) Thanks to Massimiliano Graziani we have translated in italian the '''"OWASP Pen Test Checklist v.1.1"'''. You can download it [http://www.owasp.org/documentation/testing.html here.]

Thanks to the collaboration with CLUSIT, this doc is available also [http://www.clusit.it/whitepapers.htm here.]

*(May 05) '''ISACA Roma Newsletter''' has published an [http://www.isacaroma.it/html/newsletter/?q=node/78 interview to OWASP-Italy]

*(Apr 05) We have written an article describing the OWASP projects, Web Application Security and the next challenges. '''ICT Security'''.(the italian magazine about Information Security) has published the article on the number 33 - April 2005.

*The presentation of the seminar we have done in '''ISACA Rome''' (31th March 2005) is now available [http://www.isacaroma.it/pdf/050331/meucci.zip here.]

*(Apr 05) We have published a presentation describing a detailed case study of a web application vulnerabilty [http://www.owasp.org/images/7/72/MMS_Spoofing.ppt (MMS Spoofing)].

*(Mar 05) Thanks to Matteo Paolelli we have translated the '''"OWASP Top Ten Vulnerabilties in Web Application Security"''' in italian language. You can download it [http://www.owasp.org/docroot/owasp/projects/topten/OWASPTopTen2004-ITA.pdf here].

*[http://www.isacaroma.it/html/newsletter/?q=node/78 Here] you can read an interview talking about OWASP.

==== Events ====

=== 15th March, 2011 - OWASP-Italy@Security Summit ===

- 15th March 2011, OWASP-Italy presented a seminar about OWASP news. 
Here you can download the presentations: 
- Matteo Meucci: "[http://www.owasp.org/images/5/51/Security_Summit_2011_-_Meucci.pdf OWASP Future and the OWASP Guidelines: how your company can adopt it to obtain best results]" 
- Paolo Perego: "[http://www.owasp.org/images/2/20/I_tool_OWASP_per_la_sicurezza_del_software_20110315.pdf OWASP tools for the Software Security]" 
- Giorgio Fedon: "[http://www.owasp.org/images/a/a0/Owasp_at_Security_Summit_2011_-_Mythbreaking_Automatic_Code_review_Tools.pdf Myth Busting Automatic Code Review tools]" 
More information here: https://www.securitysummit.it/eventi/view/24

=== November, 2010 - OWASP-Italy Day V ===

- OWASP Day for E-Gov 2010: 9th November 2010 - Rome. 
An event organized by Consip. More information [http://www.owasp.org/index.php/Italy_OWASP_Day_E-Gov_10 here]

=== November, 2009 - OWASP-Italy Day IV ===

----
Following on from the great success of last OWASP Days the forth conference has taken place in November 2009 in Milan. 
More information [http://www.owasp.org/index.php/Italy_OWASP_Day_4 here] 

OWASP Day for E-Gov 2009: 5th November 2009 - Rome. 
More information [http://www.owasp.org/index.php/Italy_OWASP_Day_E-Gov_09 here]

=== 31st March, 2009 - OWASP-Italy @ PCI Milan ===

----

Matteo Meucci was invited to talk about OWASP Testing Guide and PCI-DSS Standard at the [http://www.pci-portal.com/lang-en/events/event-info/pcimilan PCI Milan event] last 31st March.

The presentation is published [http://www.owasp.org/images/3/38/MeucciPciMilan09.pdf here]

=== 23rd February, 2009 - OWASP Day III ===

----

[http://www.owasp.org/index.php/Italy_OWASP_Day_3 "Web Application Security: research meets industry"] Presentations are online!

=== 10th October, 2008 - Isaca Roma PCM 2008 ===

----

Matteo Meucci presented the new OWASP Projects and the Application Security in the Italian Companies. More information [http://www.isacaroma.it/html/ArchivioEventi-081010.html here]

=== 31st March, 2008 - OWASP Day II ===

----

[http://www.owasp.org/index.php/Italy_OWASP_Day_2 "The State of the Art of the Web Application Security and the OWASP guidelines in the Companies"] Presentations are online!

=== February 2008 - OWASP Italy at InfoSecurity 2008 ===

----

5th February:

*14:30 - The Owasp Orizon project: internals and hands on

[http://www.infosecurity.it/IT/eventi-sicurezza-informatica/convegni_94.aspx Paolo Perego]

6th February:

*14:30 - Costruire Software Sicuro dalle Fondamenta

[http://www.infosecurity.it/IT/eventi-sicurezza-informatica/convegni_128.aspx Antonio Parata]

7th February:

*10:30 - Tu programmi. Io buco.

[http://www.infosecurity.it/IT/eventi-sicurezza-informatica/convegni_137.aspx Luca Carettoni]

[http://www.infosecurity.it Here] you can read more information about it.

 

=== November 30th, 2007 - OWASP-Italy @ Elsag Datamat Security Forum ===

----

Matteo Meucci was invited to talk about OWASP Guidelines and SDLC Security at the Elsag Datamat Security Forum 2007 Where: Pescara When: 30th November 2007, h.12.30

=== October 20th, 2007 - OWASP Italy at SMAU E-Academy 2007 ===

----

Last 20th October 2007 we had 5 speeches at SMAU E-Academy 2007, here you can download our presentations:

*Giorgio Fedon, COO at Minded Security:

[http://www.owasp.org/.pdf "Dove sono finiti i miei soldi? Internet Banking e Cross Site Scripting"] (coming soon) [[Image:FedonSMAU07.pdf]]

*Paolo Perego, Senior Security Consultant at Spike Reply:

[https://www.owasp.org/images/7/79/PeregoSMAU07.ppt "The Owasp Orizon project - bring security at the source"]

*Antonio Parata, Security Consultant at eMaze:

"Valutazione del rischio tramite la logica fuzzy" (coming soon) [[Image:ParataSMAU07.pdf]]

*Alberto Revelli, Senior Security Consultant at Portcullis Security:

[http://www.owasp.org/images/9/9f/RevelliSMAU07.pdf "Anti-Anti-XSS: bypass delle difese del browser"]

*Stefano Di Paola, CTO at Minded Security:

"Cros-site Flashing! Gli attacchi Web di ultima generazione parlano multipiattaforma" (coming soon) [[Image:DiPaolaSMAU07.pdf]]

 

=== September 10th, 2007 - OWASP Day WorldWide: "Privacy in the 21st Century" ===

----

https://www.owasp.org/index.php/Italy_OWASP_Day_1

 

=== May 29th, 2007 - Seminar: "Software Security" ===

----

*Stefano Di Paola, Paolo Perego and Matteo Meucci will talk at the Seminar: [http://www.sicurinfo.it/informazioni/visinf.asp?IDInfo=246&CAT=53 "Which approaches to Software Security"] organized by Firenze Tecnologia.

 

=== May 15th-17th, 2007 - 6th OWASP AppSec Conference in Italy ===

----

*We are in the initial planning stages for the next OWASP Europe conference, which we plan to hold in Italy in May 2007.

[http://www.owasp.org/index.php/6th_OWASP_AppSec_Conference_-_Italy_2007 Here] you can find all the details about the conference, cfp and sponsorship.

=== April 14th, 2007 - Master on Information Security, University of Rome "La Sapienza" ===

----

*We have done a 4h seminar for the students of [http://mastersicurezza.uniroma1.it/ Master on Information Security at "La Sapienza"] for the [http://icsecurity.di.uniroma1.it/dokuwiki/doku.php?id=projects:asp Application Security Project of "La Sapienza" University.]

 

=== March 30th, 2007 - University of Rome "La Sapienza" ===

----

*Thanks to Prof. Mancini and Roberto D'Addario, we will talk about OWASP at the convention "Institutions, Companies and Information Security: comparing the problems"

[http://w3.uniroma1.it/security/Eventi/eventi.html Here] you can find more details.

 

=== March 1st, 2007 - EuSecWest 07 ===

----

Alberto Revelli and Matteo Meucci presented the new OWASP Testing Guide at [http://www.eusecwest.com/agenda.html EUSecWest]. [http://www.owasp.org/images/e/e9/OWASP_Testing_Guide_Presentation_EUSecWest07.zip Here] you take a look at the presentation.

=== February 6th-8th, 2007 - InfoSecurity ===

----

*February 6th:15.30

After the great success obtained form CCC at Berlin, Stefano Di Paola and Giorgio Fedon will talk about:" Web Security Client Side: attacks at Web 2.0" More information [http://www.infosecurity.it/it/infosecurity.aspx?ID_Portale=Z6skuJTSHr%2fjF7janL35RA%3d%3d&ID_Pagina=fF%2b7etXTY34nfmtRTL8Shw%3d%3d&ID_MenuLvl1=mllS8ehP3VwfAOVCVR5ckw%3d%3d&ID_MenuLvl2=fF%2b7etXTY34nfmtRTL8Shw%3d%3d&ID_MenuLvl3=fPsJu6gF%2blBE8LaUGEMYLw%3d%3d&Lang=l51VDVQfL9BdevTm%2fsJx0Q%3d%3d&ID_Evento=aqfi82GOKd6I748s1evI8Q%3d%3d&ExtControl=FQQ52p7AGBUZth0l9Qw6MSOcqIebAeaBYiSFezT6eKEvZkQfILymgy7truUG7ii4 here].

*February 6th:16.30

After the great effort on the Testing Guide Project, Matteo Meucci and Alberto Revelli will present: "The new OWASP Testing Guide" More Information [http://www.infosecurity.it/it/infosecurity.aspx?ID_Portale=Z6skuJTSHr%2fjF7janL35RA%3d%3d&ID_Pagina=fF%2b7etXTY34nfmtRTL8Shw%3d%3d&ID_MenuLvl1=mllS8ehP3VwfAOVCVR5ckw%3d%3d&ID_MenuLvl2=fF%2b7etXTY34nfmtRTL8Shw%3d%3d&ID_MenuLvl3=fPsJu6gF%2blBE8LaUGEMYLw%3d%3d&Lang=l51VDVQfL9BdevTm%2fsJx0Q%3d%3d&ID_Evento=nq6tSIuRoPVJBanBSsRiSQ%3d%3d&ExtControl=FQQ52p7AGBUZth0l9Qw6MSOcqIebAeaBYiSFezT6eKEvZkQfILymgy7truUG7ii4 here].

*February 7th:12.30

Authors of innovative SQL injection tools, Alberto Revelli and Antonio Parata will show: "Advanced SQL Injection: testing tools and defensive strategies." More Information [http://www.infosecurity.it/it/infosecurity.aspx?ID_Portale=Z6skuJTSHr%2fjF7janL35RA%3d%3d&ID_Pagina=fF%2b7etXTY34nfmtRTL8Shw%3d%3d&ID_MenuLvl1=mllS8ehP3VwfAOVCVR5ckw%3d%3d&ID_MenuLvl2=fF%2b7etXTY34nfmtRTL8Shw%3d%3d&ID_MenuLvl3=fPsJu6gF%2blBE8LaUGEMYLw%3d%3d&Lang=l51VDVQfL9BdevTm%2fsJx0Q%3d%3d&ID_Evento=3z04F5BgZRgfU0YX8JRYtA%3d%3d&ExtControl=FQQ52p7AGBUZth0l9Qw6MSOcqIebAeaBYiSFezT6eKEvZkQfILymgy7truUG7ii4 here]

*February 7th:13.30

Author of the new OWASP Orizon project, Paolo Perergo will present:"Secure programming: from theory to practice" More Information [http://www.infosecurity.it/it/infosecurity.aspx?ID_Portale=Z6skuJTSHr%2fjF7janL35RA%3d%3d&ID_Pagina=fF%2b7etXTY34nfmtRTL8Shw%3d%3d&ID_MenuLvl1=mllS8ehP3VwfAOVCVR5ckw%3d%3d&ID_MenuLvl2=fF%2b7etXTY34nfmtRTL8Shw%3d%3d&ID_MenuLvl3=fPsJu6gF%2blBE8LaUGEMYLw%3d%3d&Lang=l51VDVQfL9BdevTm%2fsJx0Q%3d%3d&ID_Evento=9HePIzyo5p29ylpGBl6CiA%3d%3d&ExtControl=FQQ52p7AGBUZth0l9Qw6MSOcqIebAeaBYiSFezT6eKEvZkQfILymgy7truUG7ii4 here].

=== January 25th, 2007 - Isaca Rome ===

----

Matteo Meucci will discuss the new [http://www.owasp.org/index.php/Category:OWASP_Testing_Project OWASP Testing Guide v2] For more information: http://www.isacaroma.it/html/GiornateDiStudio.html

=== October 7th, 2006 - SMAU 2006 ===

----

- "''The quest for secure code: code review and fundamental of secure coding.''" Matteo Meucci will present an introduction to the new OWASP Projects and OWASP-Italy activities. Paolo Perego (sp0nge) will speak about safe coding and the importance of code periodic review as natural software life cycle. Paolo will give a vision on code review and its phases http://www.webb.it/event/eventview/5772

Here are the presentations: [[Image:Meucci SMAU06.pdf|Meucci_SMAU06]] [[Image:Perego SMAU06.pdf|Perego_SMAU 06]]

- "''Advanced SQL Injection.''" Antonio Parata (S4tan) will explain SQL Injection, and how SQL Inference works on PHP/MySql platform. He will present an open source tool to support the testing. Alberto Revelli (icesurfer) will focus on Microsoft SQL Server: he will perform a live demo of sqlninja (http://sqlninja.sf.net), explaining how to obtain a pseudo-shell over SQL, how to escalate privileges, and how to play with the exotic equation: "SQL Injection + debug.exe + DNS = DOS prompt" ! http://www.webb.it/event/eventview/5774

[[Image:Revelli SMAU06.pdf|Revelli_SMAU06]] [[Image:Parata SMAU06.pdf|Parate_SMAU06]] 

[[Image:OWASP-Italy at SMAU06 2.JPG]] Luca, Carlo, Alberto, Antonio, Stefano Matteo, Paolo, Giorgio

=== September 29th, 2006 - OpenExp 2006 ===

----

September 30th, at 10:45 Antonio Parata (S4tan) will speak about SQL Injection: techniques, tools and practical examples.

Abstract: Antonio will introduce some basic concepts about software security. It will be shown how SQL Inference works on PHP/MySql platform and presented an open source tool to support the testing. Finally will be listed some advises to avoid common bugs. http://www.openexp.it/

OWASP-Italy will have a stand from September 29th to October 1st.

[[Image:Antonio Matteo Carlo.JPG]] [[Image:Antonio speech.JPG]] [[Image:Carlo.JPG]] [[Image:Claudio Luca.JPG]] [[Image:Mayhem Matteo.JPG]] [[Image:OWASP Banner2.JPG]] [[Image:OWASP Banner.JPG]]

=== June 21th, 2006 - InfoSecurity 2006 ===

----

Alberto Revelli and Matteo Meucci will partecipate as speakers at the seminar: "Web Application Security: guidelines and security auditing for web applications". The event is organized and managed by the CLUSIT.

Where: Sheraton Roma Hotel - Viale Del Pattinaggio, 100 When: 10,30 - 17,00 Who: Matteo Meucci and Alberto Revelli Link: http://www.infosecurity.it/Roma/programma.php

Agenda: -- I Session -- Introduction to Web Application Security • Which are the risks? • Risk assessment of a web application • Core pillars of web security How to develop secure web applications: • Guidelines and case-studies

-- II Session -- How to realize a security audit of a web application • The methodology OWASP Penetration Testing • The tools: OWASP WebScarab • Hands-on web application vulnerabilities: OWASP WebGoat • Advanced SQL Injection.

 

=== March 1st, 2006 - OWASP-Boston, Microsoft ===

----

Thanks to Jim Weiler (OWASP-Boston Chair), Matteo Meucci has presented "Anatomy of two web attacks" at the OWASP-Boston meeting of march. [http://www.owasp.org/index.php/Boston More info here]

=== November 5th, 2005 - IDC - European Banking Forum ===

----

Thanks to Raoul Chiesa (Director of Communication OWASP-Italy), we have had a great speech at the IDC European IT Banking Forum 2005 (18 Nov 2005). http://www.idc.com/italy/events/banking05/banking05_agenda.jsp Agenda:

*New standards for the ICT security auditing in the italian banking scenario: OSSTMM and OWASP. Raoul Chiesa, Director of Communications, ISECOM/OWASP-Italy and Matteo Meucci, OWASP-Italy Chair
*Workshop: unusual form of attacks and banking system violation: live experience. Raoul Chiesa, Director of Communications, ISECOM/OWASP-Italy.

You can download the report [http://cdn.idc.com/italy/downloads/report_banking05_eng.pdf here].

You can download the Case-Study of a vulnerable Home Banking Web Application [http://www.owasp.org/docroot/owasp/misc/IDC_BankingForum05v1.ppt here].

=== October 5th, 2005 - OWASP-Italy@SMAU2005 ===

----

SMAU is the 42a International ICT & Consumer Electronics Exhibition for Italy. Alberto Revelli (our Technical Director) and Matteo Meucci have conducted a seminar talking about Web Application Security. Alberto has presented his new project: [http://sqlninja.sourceforge.net sqlninja]. Very cool!!

http://www.webb.it/event/eventview/4488/1/progetto_owasp__case_study_di_applicativi_web_vulnerabili

=== May 25th, 2005 - ISACA Rome 2nd meeting ===

----

May 25th we'll be in ISACA Rome to present OWASP WebGoat and a real case of a Web Application Vulnerability. Every one is invited to join the meeting.

Here is the agenda: 14.30 Registration 14.45 Matteo Meucci - Web Application Security Phase II - OWASP WebScarab and PenTest Checklist

*A case-study of a Web Application Vulnerability: MMS Spoofing

--- Web Application analysis --- Authentication and Billing of the MMS service --- Vulnerabilities --- Attack Analysis

*Learning the most common web application vulnerabilities: OWASP WebGoat

--- Http Basics --- HTML Clues --- Hidden Field Tampering --- How to spoof a Session Cookie --- Stored Cross Site Scripting --- Command Injection --- SQL Injection --- Fail Open Authentication

The meeting is hold at: Via Volturno, 65 (Rome) - Auditorium ATAC

You can download the presentation [http://www.isacaroma.it/pdf/050525/OWASP.zip here].

=== May 18th, 2005 - Workshop on Computer Crime 2005 ===

----

 May 18th, 2005 OWASP-Italy is invited to present OWASP Top 10 to the "Workshop on Computer Crime 2005" titled: "EVOLUZIONI NORMATIVE E RECENTI PROBLEMATICHE DI SICUREZZA"

The meeting is held at: Sala delle conferenze dell'Istituto Centrale della Banche Popolari Italiane Via Verziere, 11

You can download the presentation [http://www.owasp.org/images/a/aa/Top10-ComputerCrimes.ppt here].

=== March 31th, 2005 - ISACA Rome meeting ===

----

March 31th we'll be in ISACA Rome to present OWASP and the Web Application Security. Every one is invited to join the meeting.

Here is the agenda: 14.15 Registration 14.30 Matteo Meucci - Web Application Security - OWASP Guide: how to build secure web application - How to test your Web Application: WebScarab and the WebApp PenTest Checklist - How to learn the most common web application vulnerability: WebGoat - The Top Ten WebApp vulnerabilities - Common error on developing Web Application: Authentication mechanisms not "secure" Buffer Overflow and crash of the service Thief of identity: Cross Site Scripting Manipulation of company data: SQL Injection Reserved information: misconfiguration Bad session management and thief of identity - OWASP-Italy: projects and next challenges

The meeting is hold at: Via Volturno, 65 (Rome) - Auditorium ATAC http://www.isacaroma.it/html/GiornateDiStudio.html

You can download the presentation [http://www.isacaroma.it/pdf/050331/meucci.zip here].

=== March 21th, 2005 - OWASP-Italy conducts a seminar in AlmaWeb ===

----

March, the 21th OWASP-Italy has been invited at the University of Bologna to conduct a seminar regards to [http://www.almaweb.unibo.it/830.dyn Master in Management and Information Technology] titled “Web Application Security and OWASP”.

Here is the agenda: - OWASP & Web Application Security - Common Web Application Vulnerabilities - A real case of web application vulnerability: MMS Spoofing&Billing - Training: WebGoat

==== Publications ====

=== October 2009 Interview on "Il sole 24 ore" ===
----

[http://www.owasp.org/images/5/5c/Nova09.pdf Gary McGraw and Matteo Meucci] interviewed by NOVA, talking about BSIMM and OWASP.

=== March, 2007 Interview on HTML.it ===

----

Luca Carettoni has published an interview to OWASP-Italy (OWASP interviews OWASP :) ) [http://blog.html.it/archivi/2007/02/26/quattro-chiacchiere-con-owasp-italia.php Here] the full article.

=== October, 2006 ISACA Roma interviews OWASP-Italy ===

----

After the speeches that OWASP-Italy has done at [http://www.smau.it/catnews.asp?l=2&codcat=385 SMAU E-Academy 2006], ISACA Roma has interviewed some of the people of the Italian chapter. Follow the links for the full interviews (in italian): [[http://www.isacaroma.it/html/newsletter/node/276 Matteo Meucci]] [[http://www.isacaroma.it/html/newsletter/node/287 Alberto Revelli ]] [[http://www.isacaroma.it/html/newsletter/node/282 Antonio Parata]] [[http://www.isacaroma.it/html/newsletter/node/285 Paolo Perego]] [[http://www.isacaroma.it/html/newsletter/node/322 Stefano Di Paola & Giorgio Fedon]]

=== Aug, 2006 - Article on Banca Finanza magazine ===

----

Banca Finanza, the italian magazine about finance and banking, has interviewed Raoul Chiesa talking about the new risks for the on-line banking security. Raoul speaks about OWASP and web application security [[Media:042006BF.pdf]]

=== June, 2006 - Quaderno CLUSIT ===

----

CLUSIT has published a book entitled: "La verifica della sicurezza di applicazioni Web-based e il progetto OWASP". Several OWASP-Italy members (R.Chiesa, L.De Santis, M.Graziani, L.Legato, M.Meucci, A.Revelli) have contributed to the writing. The document is now reserved to CLUSIT members, but it will be public in about 3 months.

=== June, 2006 - Paper on SQL Injection and Inference on PHP/MySQLInference ===

----

Antonio "s4tan" Parata has published an article about SQL Injection based on Inference for testing web application on PHP/MySQL platform. [http://www.ictsc.it/papers/sqlInferenceOnMySql.html Here]you can read the full article.

=== May, 2006 - Published an article about OWASP and Top-10 Vulnerabilities ===

----

Luca Carettoni has published the article "La sicurezza delle applicazioni Web secondo l'Open Web Application Security Project". [http://sicurezza.html.it/articoli/leggi/1721/la-sicurezza-delle-applicazioni-web-secondo-lopen-/ Here]you can read the full article.

=== June, 2005 - OWASP Pen Test Checklist v 1.1 in Italian ===

----

Thanks to Massimiliano Graziani we have translated in italian the "OWASP Pen Test Checklist v.1.1". You can download it [http://www.owasp.org/documentation/testing.html here.] Thanks to the collaboration with CLUSIT, this doc is available also [http://www.clusit.it/whitepapers.htm here.]

=== May, 2005 - Isaca Roma Newsletter about OWASP-Italy ===

----

ISACA Roma Newsletter has published an [http://www.isacaroma.it/html/newsletter/?q=node/78 interview to OWASP-Italy]

=== April, 2005 - Published "MMS Spoofing" ===

----

We have published a presentation describing a detailed case study of a web application vulnerabilty [http://www.owasp.org/images/7/72/MMS_Spoofing.ppt (MMS Spoofing)].

Jim Hewitt, CISSP PMP working at CGI-AMS, affirms (slide#78): "Very interesting analysis of spoofed cell phone messaging and fraudulent billing". See: www.techvalleynyissa.org/Resources/2005_07_WebApplicationSecurity.ppt

=== April, 2005 - Published an article on ICT Security magazine ===

----

We have written an article describing the OWASP projects, Web Application Security and the next challenges. '''ICT Security'''.(the italian magazine about Information Security) has published the article on the number 33 - April 2005.

=== March, 2005 - OWASP Top-10 in Italian ===

----

Thanks to Matteo Paolelli we have translated the '''"OWASP Top Ten Vulnerabilties in Web Application Security"''' in italian language. You can download it [http://www.owasp.org/docroot/owasp/projects/topten/OWASPTopTen2004-ITA.pdf here].

 

----

==== Tools & Research ====

----

=== Nov, 2007 - sqlmap v0.5 ===

Bernardo Damele and Daniele Bellucci have released the fifth versions of the tool [http://sqlmap.sourceforge.net sqlmap]. sqlmap is an automatic SQL injection tool entirely developed in Python. It is capable to perform an extensive database management system back-end fingerprint, retrieve remote DBMS databases, usernames, tables, columns, enumerate entire DBMS, read system files and much more taking advantage of web application programming security flaws that lead to SQL injection vulnerabilities.

You can download the latest stable version from its [https://sourceforge.net/project/showfiles.php?group_id=171598&package_id=196107 SourceForge File List page] or the latest development version from its [https://sqlmap.svn.sourceforge.net/svnroot/sqlmap SourceForge SVN repository].

=== Dec, 2006 - sqlmap v0.2 ===

Bernardo Damele and Daniele Bellucci have released a second version of the tool "sqlmap" for Automatic Blind SQL Injection. [http://sqlmap.sourceforge.net/ Here] you can download the tool

=== September, 2006 - Wisec Project ===

Stefano Di Paola is developing Wisec - The Wiki Security Project [http://www.wisec.it Here] you can accesses the project.

=== July, 2006 - Sqlmap v0.0.1 ===

Daniele Bellucci has developed a first version of the tool "sqlmap" for Automatic Blind SQL Injection. [http://www.linux.it/~belch/?p=17 Here] you can download the tool

----

__NOTOC__ <headertabs />

[[Category:OWASP_Chapter]]
[[Category:Europe]]

Testing for MS Access

2013-09-01T06:55:45Z

Luca Carettoni:

{{Template:OWASP Testing Guide v4}}

== Short Description of the Issue ==
As explained in the generic [[SQL injection]] section, SQL injection vulnerabilities occur whenever user-supplied input is used during the construction of a SQL query without being adequately constrained or sanitized. This class of vulnerabilities allows an attacker to execute SQL code under the privileges of the user that is used to connect to the database.

In this section, relevant SQL injection techniques that utilize specific features of [http://en.wikipedia.org/wiki/Microsoft_Access Microsoft Access] will be discussed.

== Black Box Testing and Example ==

=== Fingerprinting ===

Fingerprinting the specific database technology while testing SQL-powered application is the first step to properly asses potential vulnerabilities.
A common approach involves injecting standard SQL injection attack patterns (e.g. single quote, double quote, ...) in order to trigger database exceptions.

Assuming that the application does not handle exceptions with custom pages, it is possible to fingerprint the underline DBMS by observing error messages.
Depending on the specific web technology used, MS Access driven applications will respond with one of the following errors:

Fatal error: Uncaught exception 'com_exception' with message Source: Microsoft JET Database Engine

or

Microsoft JET Database Engine error '80040e14'

or

Microsoft Office Access Database Engine

In all cases, we have a confirmation that we're testing an application using MS Access database.

=== Basic Testing ===

Unfortunately, MS Access doesn't support typical operators that are traditionally used during SQL injection testing, including:

* No comments characters
* No stacked queries
* No LIMIT operator
* No SLEEP or BENCHMARK alike operators
* and many others

Nevertheless, it is possible to emulate those functions by combining multiple operators or by using alternative techniques.

As mentioned, it is not possible to use the trick of inserting the characters <code>/*</code>, <code>--</code> or <code>#</code> in order to truncate the query. However, we can fortunately bypass this limitation by injecting a 'null' character. Using a null byte <code>%00</code> within
a SQL query results in MS Access ignoring all remaining characters. This can be explained by considering that all strings are NULL terminated in the internal representation used by the database. It is worth mentioning that the 'null' character can sometimes cause troubles too as it may truncate strings at the web server level. In those situations, we can however employ another character: 0x16 (%16 in URL encoded format).

Considering the following query:

SELECT [username],[password] FROM users WHERE [username]='$myUsername' AND [password]='$myPassword'

We can truncate the query with the following two URLs:

http://www.example.com/page.asp?user=admin'%00&pass=foo
http://www.example.com/page.app?user=admin'%16&pass=foo

The <code>LIMIT</code> operator is not implemented in MS Access, however it is possible to limit the number of results by using the <code>TOP</code> or <code>LAST</code> operators instead.

http://www.example.com/page.app?id=2'+UNION+SELECT+TOP+3+name+FROM+appsTable%00

By combining both operators, it is possible to select specific results.

String concatenation is possible by using <code>& (%26)</code> and <code>+ (%2b)</code> characters.

There are also many other functions that can be used while testing SQL injection, including but not limited to:
* ASC: Obtain the ASCII value of a character passed as input
* CHR: Obtain the character of the ASCII value passed as input
* LEN: Return the length of the string passed as parameter
* IIF: Is the IF construct, for example the following statement IIF(1=1, 'a', 'b') return 'a'
* MID: This function allows you to extract substring, for example the following statement mid('abc',1,1) return 'a'
* TOP: This function allows you to specify the maximum number of results that the query should return from the top. For example TOP 1 will return only 1 row.
* LAST: This function is used to select only the last row of a set of rows. For example the following query SELECT last(*) FROM users will return only the last row of the result.

Some of these operators are essential to exploit blind SQL injections. For other advanced operators, please refer to the documents in the references.

==== Attributes Enumeration ====

In order to enumerate the column of a database table, it is possible to use a common error-based technique.
In short, we can obtain the attributes name by analyzing error messages and repeating the query with different selectors. For example,
assuming that we know the existence of a column, we can also obtain the name of the remaining attributes with the following query:

' GROUP BY Id%00

In the error message received, it is possible to observe the name of the next column. At this point, we can iterate the
method until we obtain the name of all attributes. If we don't know the name of the first attribute, we can still insert a fictitious column name and obtain the name of the first attribute within the error message.

==== Obtaining Database Schema ====

Various system tables exist by default in MS Access that can be potentially used to obtain table names and columns. Unfortunately, in the default configuration of recent MS Access database releases, these tables are not accessible. Nevertheless, it is always worth trying:

* MSysObjects
* MSysACEs
* MSysAccessXML

For example, if a union SQL injection vulnerability exists, you can use the following query:

' UNION SELECT Name FROM MSysObjects WHERE Type = 1%00

Alternatively, it is always possible to bruteforce the database schema by using a standard wordlist (e.g. [http://code.google.com/p/fuzzdb/ FuzzDb]).

In some cases, developers or system administrators do not realize that including the actual ''.mdb'' file within the application webroot can allow to download the entire database. Database filenames can be inferred with the following query:

http://www.example.com/page.app?id=1'+UNION+SELECT+1+FROM+name.table%00

where <code>name</code> is the ''.mdb'' filename and <code>table</code> is a valid database table.
In case of password protected databases, multiple software utilities can be used to crack the password. Please refer to the references.

=== Blind SQL Injection Testing ===

[[Blind SQL Injection]] vulnerabilities are by no means the most easily exploitable SQL injections while testing real-life applications. In case of recent versions of MS Access, it is also not feasible to execute shell commands or read/write arbitrary files.

In case of blind SQL injections, the attacker can only infer the result of the query by evaluating time differences or application responses. It is supposed that the reader already knows the theory behind blind SQL injection attacks, as the remaining part of this section will focus on MS Access specific details.

The following example is used:

http://www.example.com/index.php?myId=[sql]

where the id parameter is used within the following query:

SELECT * FROM orders WHERE [id]=$myId

Let's consider the <code>myId</code> parameter vulnerable to blind SQL injection. As an attacker, we want to extract the content of column 'username' in the table 'users', assuming that we have already disclosed the database schema.

A typical query that can be used to infer the first character of the username of the 10th rows is:

http://www.example.com/index.php?id=IIF((select%20MID(LAST(username),1,1)%20from%20(select%20TOP%2010%20username%20from%20users))='a',0,'no')

If the first character is 'a', the query will return 0 or otherwise the string 'no'.

By using a combination of the IFF, MID, LAST and TOP functions, it is possible to extract the first character of the username on a specifically selected row. As the inner query returns a set of records, and not just one, it is not possible to use it directly. Fortunately, we can combine multiple functions to extract a specific string.

Let's assume that we want to retrieve the username of the 10th row. First, we can use the TOP function to select the first ten rows using the following query:

SELECT TOP 10 username FROM users

Then, using this subset, we can extract the last row by using the LAST function. Once we have only one row and exactly the row containing our string, we can use the IFF, MID and LAST functions to infer the actual value of the username. In our example, we employ IFF to return a number or a string. Using this trick, we can distinguish whether we have a true response or not, by observing application error responses. As <code>id</code> is numeric, the comparison with a string results in a SQL error that can be potentially leaked by <code>500 Internal Server Error pages</code>. Otherwise, a standard <code>200 OK</code> page will be likely returned.

For example, we can have the following query:

http://www.example.com/index.php?id='%20AND%201=0%20OR%20'a'=IIF((select%20MID(LAST(username),1,1)%20from%20(select%20TOP%2010%20username%20from%20users))='a','a','b')%00

that is TRUE if the first character is 'a' or false otherwise.

As mentioned, this method allows to infer the value of arbitrary strings within the database:

# By trying all printable values, until we find a match
# By inferring the length of the string using the LEN function, or by simply stopping after we have found all characters

Time-based blind SQL injections are also possible by abusing [http://technet.microsoft.com/it-it/library/cc512676%28en-us%29.aspx heavy queries].

== References ==

* http://nibblesec.org/files/MSAccessSQLi/MSAccessSQLi.html
* http://packetstormsecurity.com/files/65967/Access-Through-Access.pdf.html
* http://seclists.org/pen-test/2003/May/74
* http://www.techonthenet.com/access/functions/index_alpha.php
* http://en.wikipedia.org/wiki/Microsoft_Access

Testing for MS Access

2013-09-01T06:24:00Z

Luca Carettoni:

{{Template:OWASP Testing Guide v4}}

== Short Description of the Issue ==
As explained in the generic [[SQL injection]] section, SQL injection vulnerabilities occur whenever user-supplied input is used during the construction of a SQL query without being adequately constrained or sanitized. This class of vulnerabilities allows an attacker to execute SQL code under the privileges of the user that is used to connect to the database.

In this section, relevant SQL injection techniques that utilize specific features of [http://en.wikipedia.org/wiki/Microsoft_Access Microsoft Access] will be discussed.

== Black Box Testing and Example ==

=== Fingerprinting ===

Fingerprinting the specific database technology while testing SQL-powered application is the first step to properly asses potential vulnerabilities.
A common approach involves injecting standard SQL injection attack patterns (e.g. single quote, double quote, ...) in order to trigger database exceptions.

Assuming that the application does not handle exceptions with custom pages, it is possible to fingerprint the underline DBMS by observing error messages.
Depending on the specific web technology used, MS Access driven applications will respond with one of the following errors:

Fatal error: Uncaught exception 'com_exception' with message Source: Microsoft JET Database Engine

or

Microsoft JET Database Engine error '80040e14'

or

Microsoft Office Access Database Engine

In all cases, we have a confirmation that we're testing an application using MS Access database.

=== Basic Testing ===

Unfortunately, MS Access doesn't support typical operators that are traditionally used during SQL injection testing, including:

* No comments characters
* No stacked queries
* No LIMIT operator
* No SLEEP or BENCHMARK alike operators
* and many others

Nevertheless, it is possible to emulate those functions by combining multiple operators or by using alternative techniques.

As mentioned, it is not possible to use the trick of inserting the characters <code>/*</code>, <code>--</code> or <code>#</code> in order to truncate the query. However, we can fortunately bypass this limitation by injecting the 'null' character. Using a null byte <code>%00</code> within
a SQL query will result in MS Access ignoring all remaining characters. This can be explained by considering that all strings are NULL terminated in the internal representation used by the database. It is worth mentioning that the 'null' character can sometimes cause troubles too as it may truncate strings at the web server level. In those situations, we can however employ another character: 0x16 (%16 in URL encoded format).

Considering the following query:

SELECT [username],[password] FROM users WHERE [username]='$myUsername' AND [password]='$myPassword'

We can truncate the query with the following two URLs:

http://www.example.com/page.asp?user=admin'%00&pass=foo
http://www.example.com/page.app?user=admin'%16&pass=foo

The <code>LIMIT</code> operator is not implemented in MS Access, however it is possible to limit the number of results by using the <code>TOP</code> or <code>LAST</code> operators instead.

http://www.example.com/page.app?id=2'+UNION+SELECT+TOP+3+name+FROM+appsTable%00

By combining both operators, it is possible to select specific results.

String concatenation is possible by using <code>& (%26)</code> and <code>+ (%2b)</code> characters.

There are also many other functions that can be used while testing SQL injection, including but not limited to:
* ASC: Obtain the ASCII value of a character passed as input
* CHR: Obtain the character of the ASCII value passed as input
* LEN: Return the length of the string passed as parameter
* IIF: Is the IF construct, for example the following statement IIF(1=1, 'a', 'b') return 'a'
* MID: This function allows you to extract substring, for example the following statement mid('abc',1,1) return 'a'
* TOP: This function allows you to specify the maximum number of results that the query should return from the top. For example TOP 1 will return only 1 row.
* LAST: This function is used to select only the last row of a set of rows. For example the following query SELECT last(*) FROM users will return only the last row of the result.

Some of these functions are essential to exploit blind SQL injections. For other advanced operators, please refer to the references.

==== Attributes Enumeration ====

In order to enumerate the attributes of a query, it is possible to use a common error-based technique.
In short, we can obtain the attributes name by analyzing error messages and repeating the query with different selectors. For example,
assuming that we know the existence of a parameter, we can also obtain the name of the remaining attributes with the following query:

' GROUP BY Id%00

In the error message received we can see that the name of the next attribute is shown. At this point, we iterate the
method until we obtain the name of all attributes. If we don't know the name of at least
one attribute, we can insert a fictitious column name and obtain the name of the first attribute within the error message.

==== Obtaining Database Schema ====

Various system tables exist by default in MS Access that can be potentially used to obtain table names. Unfortunately, in the default configuration of recent MS Access database releases, these tables are not accessible. Nevertheless, it is always worth trying.

* MSysObjects
* MSysACEs
* MSysAccessXML

For example, if a union SQL injection vulnerability exists, you can use the following query:

' UNION SELECT Name FROM MSysObjects WHERE Type = 1%00

Alternatively, it is always possible to bruteforce the database schema by using a standard wordlist (e.g. [http://code.google.com/p/fuzzdb/ FuzzDb]).

In some cases, developers or system administrators do not realize that including the actual ''.mdb'' file within the application webroot can allow to download to entire database. Database filename can be inferred with the following query:

http://www.example.com/page.app?id=1'+UNION+SELECT+1+FROM+name[i].table%00

where <code>name[i]</code> is the .mdb filename and <code>table</code> is a valid database table.
In case of password protected databases, multiple software utilities can be used to crack the password. Please refer to the references.

=== Blind SQL Injection Testing ===

[[Blind SQL Injection]] vulnerabilities are by no means the most frequent type of vulnerability that you will find while testing real-life vulnerabilities. Generally, you find an SQL injection in a parameter where no union query is possible. In case of MS Access, it is also not possible to execute shell commands or easily read/write arbitrary file.

In case of blind SQL injections, the attacker can only infer the result of the query by evaluating time differences or application responses. It is supposed that the reader already knows the theory behind blind SQL injection attacks, as the remaining part of this section will focus on MS Access specific details.

For our test we take the following example:

http://www.example.com/index.php?myId=[sql]

where the id parameter is used in the following query:

SELECT * FROM orders WHERE [id]=$myId

Let's consider the <code>myId</code> parameter vulnerable to blind SQL injection. As an attacker, we want to extract the content of column 'username' in the table 'users', assuming that we have already disclosed the database schema thanks to the techniques discussed above).

A typical query that can be used to infer the first character of the username of the 10th rows is:

http://www.example.com/index.php?id=IIF((select%20MID(LAST(username),1,1)%20from%20(select%20TOP%2010%20username%20from%20users))='a',0,'ko')

If the first character is 'a', the query will return 0 ("true response"), otherwise a 'ko' string.

By using a combination of the IFF, MID, LAST and TOP functions, it is possible to extract the first character of the username on a specifically selected row. As the inner query returns a set of records, and not just one, it is not possible to use it directly. Fortunately, we can combine multiple functions to extract the exact string.

Let's assume that we want to infer the username of the 10th row. First, we use the TOP function to select the first ten rows using the following query:

SELECT TOP 10 username FROM users

Then, using this subset, we extract the last row by using the LAST function. Once we have only one row and exactly the row containing our string, we can use the IFF, MID and LAST functions to infer the actual value of the username. In our example, we employ IFF to return a number or a string. Using this trick we can distinguish whether we have a true response or not, by observing application error responses. As <code>id</code> is of a numeric type, the comparison with a string results in a SQL error that can be potentially leaked by <code>500 Internal Server Error pages</code>. Otherwise, a standard <code>200 OK</code> returns.

For example, we can have the following query:

http://www.example.com/index.php?id='%20AND%201=0%20OR%20'a'=IIF((select%20MID(LAST(username),1,1)%20from%20(select%20TOP%2010%20username%20from%20users))='a','a','b')%00

that is true if the first character is 'a' or false otherwise.

As mentioned, this method allows to infer the value of arbitrary strings within the database:

# By trying all the printable values, until we find a match
# By inferring the length of the string using the LEN function, or by simply stopping after we have found all the characters

Time-based blind SQL injections are also possible, by abusing [http://technet.microsoft.com/it-it/library/cc512676%28en-us%29.aspx heavy queries].

== References ==

* http://nibblesec.org/files/MSAccessSQLi/MSAccessSQLi.html
* http://packetstormsecurity.com/files/65967/Access-Through-Access.pdf.html
* http://seclists.org/pen-test/2003/May/74
* http://www.techonthenet.com/access/functions/index_alpha.php
* http://en.wikipedia.org/wiki/Microsoft_Access

Testing for MS Access

2013-08-31T20:49:59Z

Luca Carettoni:

{{Template:OWASP Testing Guide v4}}

== Short Description of the Issue ==
As explained in the generic [SQL injection] section, SQL injection vulnerabilities occur whenever user-supplied input is used during the construction of a SQL query without being adequately constrained or sanitized. This class of vulnerabilities allows an attacker to access the SQL servers and execute SQL code under the privileges of the user used to connect to the database.

In this section some SQL Injection techniques that utilize specific features of [http://en.wikipedia.org/wiki/Microsoft_Access Microsoft Access] will be discussed.

== Black Box testing and example ==

=== Fingerprinting ===

Fingerprinting the specific database technology while testing SQL-powered application is the first step to properly asses potential vulnerabilities.
A common approach involves injecting standard SQL injection attack patterns (e.g. single quote, double quote, ...) in order to trigger database exceptions.

Assuming that the application does not handle exceptions with custom pages, it is possible to fingerprint the underline DBMS by observing typical error messages.
Depending on the specific web technology used, MS Access driven applications will result in the following errors:

(Apache/PHP)

Fatal error: Uncaught exception 'com_exception' with message 'Source: Microsoft JET Database Engine Description:

(IIS/ASP)

Microsoft JET Database Engine error '80040e14'

In both cases, we have a confirmation that we're testing an application using MS Access database.

=== Basic Testing ===

Unfortunately, MS Access doesn't support typical operators that are traditionally used during SQL injection testing, including:

* No comments characters
* No stacked queries
* No LIMIT operator
* No SLEEP or BENCHMARK alike operators
* and many others

Nevertheless, it is possible to emulate those functions by combining multiple operators or by using alternative techniques.

As mentioned, it is not possible to use the trick of inserting the characters <code>/*</code>, <code>--</code> or <code>#</code> in order to truncate the query. However, we can fortunately bypass this limitation by injecting the 'null' character. Using a null byte <code>%00</code> within
a SQL query will result in MS Access ignoring all remaining characters. This can be explained by considering that all strings are NULL terminated in the internal representation used by the database. It is worth mentioning that the 'null' character can sometimes cause troubles too as it may truncate strings at the web server level. In those situations, we can however employ another character: 0x16 (%16 in URL encoded format).

Considering the following query:

SELECT [username],[password] FROM users WHERE [username]='$myUsername' AND [password]='$myPassword'

We can truncate the query with the following two URLs:

http://www.example.com/page.asp?user=admin'%00&pass=foo
http://www.example.com/page.app?user=admin'%16&pass=foo

The <code>LIMIT</code> operator is not implemented in MS Access, however it is possible to limit the number of results by using the <code>TOP</code> or <code>LAST</code> operators instead.

http://www.example.com/page.app?id=2'+UNION+SELECT+TOP+3+name+FROM+appsTable%00

By combining both operators, it is possible to select specific results.

String concatenation is possible by using <code>& (%26)</code> and <code>+ (%2b)</code> characters.

There are also many other functions that can be used while testing SQL injection, including but not limited to:
* ASC: Obtain the ASCII value of a character passed as input
* CHR: Obtain the character of the ASCII value passed as input
* LEN: Return the length of the string passed as parameter
* IIF: Is the IF construct, for example the following statement IIF(1=1, 'a', 'b') return 'a'
* MID: This function allows you to extract substring, for example the following statement mid('abc',1,1) return 'a'
* TOP: This function allows you to specify the maximum number of results that the query should return from the top. For example TOP 1 will return only 1 row.
* LAST: This function is used to select only the last row of a set of rows. For example the following query SELECT last(*) FROM users will return only the last row of the result.

Some of these functions are essential to exploit blind SQL injections. For other advanced operators, please refer to the references.

==== Attributes enumeration ====

In order to enumerate the attributes of a query, it is possible to use a common error-based technique.
In short, we can obtain the attributes name by analyzing error messages and repeating the query with different selectors. For example,
assuming that we know the existence of a parameter, we can also obtain the name of the remaining attributes with the following query:

' GROUP BY Id%00

In the error message received we can see that the name of the next attribute is shown. At this point, we iterate the
method until we obtain the name of all attributes. If we don't know the name of at least
one attribute, we can insert a fictitious column name and obtain the name of the first attribute within the error message.

==== Obtaining Database Schema ====

Various system tables exist by default in MS Access that can be potentially used to obtain table names. Unfortunately, in the default configuration of recent MS Access database releases, these tables are not accessible. Nevertheless, it is always worth trying.

* MSysObjects
* MSysACEs
* MSysAccessXML

For example, if a union SQL injection vulnerability exists, you can use the following query:

' UNION SELECT Name FROM MSysObjects WHERE Type = 1%00

Alternatively, it is possible to infere the database [HERE]

=== Blind SQL Injection testing ===
[[Blind SQL Injection]] vulnerabilities are by no means the most frequent type of vulnerability
that you will find. Generally, you find an SQL injection in a parameter where no union
query is possible. Also, usually, there is no chance to execute shell commands or to read/write
a file. All you can do is infer the result of your query. For our test we take the
following example:

http://www.example.com/index.php?myId=[sql]

where the id parameter is used in the following query:

SELECT * FROM orders WHERE [id]=$myId

For our test, we will consider the myId parameter vulnerable to blind SQL injection.
We want to extract the content of the table users, in particular, of the column
username (we have already seen how to obtain the name of the attributes thanks
to the error messages and other techniques). It is supposed that the reader already knows the theory behind
the blind SQL injection attack, so we go straight to show some examples. A typical query that
can be used to infer the first character of the username of the 10th rows is:

http://www.example.com/index.php?id=IIF((select%20mid(last(username),1,1)%20from%20(select%20top%2010%20username%20from%20users))='a',0,'ko')

If the first character is 'a', this query will return a 0 (a "true response"), otherwise a
'ko' string. Now we will explain why we have used this particular query.
The first thing to point out is that with the functions IFF, MID and LAST, we extract the first
character of the username of the selected row. Unfortunately, the original query returns a set of records and not only one record, so we can't use this methodology directly. We must first select only one row. We can use the TOP function, but it only works with the first row. To select the other
queries we must use a trick. We want to infer the username of the row number 10.
First we use the TOP function to select the first ten rows with the query:

SELECT TOP 10 username FROM users

Then, we extract from this set the last row with the function LAST. Once we have only one row and
exactly the row that we want, we can use the IFF, MID and LAST functions to infer the value
of the username.
It may be interesting to note the use of the IFF function. In our example we use IFF to return a number or a string. With this trick we can distinguish when we have a true response or not. This is because id is of a numeric type, so if we compare it with a string we obtain a SQL error, otherwise with the 0 value we have no errors. Of course if the parameter was of type string we can use different values. For example, we can have the following query:

http://www.example.com/index.php?id='%20AND%201=0%20OR%20'a'=IIF((select%20mid(last(username),1,1)%20from%20(select%20top%2010%20username%20from%20users))='a','a','b')%00

that returns a query that is always true if the first character is 'a' or a query that is always false in the other case.

This method allows us to infer the value of the username. To understand when we have
obtained the complete value we have two choices:

# We try all the printable values; when no one is valid then we have the complete value.
# We can infer the length of the value (if it's a string value we can use the LEN function) and stop when we have found all the characters.

=== Advanced Tricks ===
Sometimes we are blocked by some filtering function. Here we see some tricks to bypass these filters.

==== Alternative Delimiter ====
Some filters strip away the space from the input string. We can bypass these filters using
the following values as delimiter instead of the white space:

'''
9
a
c
d
20
2b
2d
3d
'''

For example we can execute the following query:

http://www.example.com/index.php?username=foo%27%09or%09%271%27%09=%09%271

to bypass a hypothetical login form.

== References ==
'''Whitepapers''' 
* http://www.techonthenet.com/access/functions/index_alpha.php
* http://nibblesec.org/files/MSAccessSQLi/MSAccessSQLi.html

Testing for HTTP Parameter pollution (OTG-INPVAL-004)

2013-08-26T06:50:24Z

Luca Carettoni:

{{Template:OWASP Testing Guide v4}}

== Brief Summary ==
 
Supplying multiple HTTP parameters with the same name may cause an application to interpret values in unanticipated ways. By exploiting these effects, an attacker may be able to bypass input validation, trigger application errors or modify internal variables values. As HTTP Parameter Pollution (in short ''HPP'') affects a building block of all web technologies, server and client side attacks exist.
 
== Description of the Issue ==
 

Current HTTP standards do not include guidance on how to interpret multiple input parameters with the same name. For instance, [http://www.ietf.org/rfc/rfc3986.txt RFC 3986] simply defines the term ''Query String'' as a series of field-value pairs and [http://www.ietf.org/rfc/rfc2396.txt RFC 2396] defines classes of reversed and unreserved query string characters. Without a standard in place, web application components handle this edge case in a variety of ways (see the table below for details).
By itself, this is not necessarily an indication of vulnerability. However, if the developer is not aware of the problem, the presence of duplicated parameters may produce an anomalous behavior in the application that can be potentially exploited by an attacker. As often in security, unexpected behaviors are a usual source of weaknesses that could lead to HTTP Parameter Pollution attacks in this case.

To better introduce this class of vulnerabilities and the outcome of HPP attacks, it is interesting to analyze some real-life examples that have been discovered in the past.

=== Input Validation and filters bypass ===
 
In 2009, immediately after the publication of the first research on HTTP Parameter Pollution, the technique received attention from the security community as a possible way to bypass web application firewalls.

One of these flaws, affecting ''ModSecurity SQL Injection Core Rules'', represents a perfect example of the impedance mismatch between applications and filters. The ModSecurity filter would correctly blacklist the following string: <code>select 1,2,3 from table</code>, thus blocking this example URL from being processed by the web server: <code>/index.aspx?page=select 1,2,3 from table</code>. However, by exploiting the concatenation of multiple HTTP parameters, an attacker could cause the application server to concatenate the string after the ModSecurity filter already accepted the input. As an example, the URL <code>/index.aspx?page=select 1&page=2,3</code> from table would not trigger the ModSecurity filter, yet the application layer would concatenate the input back into the full malicious string.

Another HPP vulnerability turned out to affect ''Apple Cups'', the well-known printing system used by many UNIX systems. Exploiting HPP, an attacker could easily trigger a Cross-Site Scripting vulnerability using the following URL: <code>http://127.0.0.1:631/admin/?kerberos=onmouseover=alert(1)&kerberos</code>. The application validation checkpoint could be bypassed by adding an extra <code>kerberos</code> argument having a valid string (e.g. empty string). As the validation checkpoint would only consider the second occurrence, the first <code>kerberos</code> parameter was not properly sanitized before being used to generate dynamic HTML content. Successful exploitation would result in Javascript code execution under the context of the hosting web site.
 

=== Authentication bypass ===
 
An even more critical HPP vulnerability was discovered in ''Blogger'', the popular blogging platform. The bug allowed malicious users to take ownership of the victim’s blog by using the following HTTP request:

<code>
POST /add-authors.do HTTP/1.1

security_token=attackertoken&blogID=attackerblogidvalue&blogID=victimblogidvalue&authorsList=goldshlager19test%40gmail.com(attacker email)&ok=Invite
</code>

The flaw resided in the authentication mechanism used by the web application, as the security check was performed on the first <code>blogID</code> parameter, whereas the actual operation used the second occurrence.
 

===Expected Behavior by Application Server===
 
The following table illustrates how different web technologies behave in presence of multiple occurrences of the same HTTP parameter.

Given the URL and querystring: <code>http://example.com/?color=red&color=blue</code>
{|
|-
! Web Application Server Backend !! Parsing Result !! Example
|-
| ASP.NET / IIS || All occurrences concatenated with a comma || color=red,blue
|-
| ASP / IIS || All occurrences concatenated with a comma|| color=red,blue
|-
| PHP / Apache || Last occurrence only || color=blue
|-
| PHP / Zeus || Last occurrence only || color=blue
|-
| JSP, Servlet / Apache Tomcat || First occurrence only || color=red
|-
| JSP, Servlet / Oracle Application Server 10g || First occurrence only || color=red
|-
| JSP, Servlet / Jetty || First occurrence only || color=red
|-
| IBM Lotus Domino || Last occurrence only || color=blue
|-
| IBM HTTP Server || First occurrence only || color=red
|-
| mod_perl, libapreq2 / Apache || First occurrence only || color=red
|-
| Perl CGI / Apache || First occurrence only || color=red
|-
| mod_wsgi (Python) / Apache || First occurrence only || color=red
|-
| Python / Zope || All occurrences in List data type || color=['red','blue']
|}
(source: [[Media:AppsecEU09_CarettoniDiPaola_v0.8.pdf]] )
 
== Black Box testing and example ==
 
Luckily, because the assignment of HTTP parameters is typically handled via the web application server, and not the application code itself, testing the response to parameter pollution should be standard across all pages and actions. However, as in-depth business logic knowledge is necessary, testing HPP requires manual testing. Automatic tools can only partially assist auditors as they tend to generate too many false positives. In addition, HPP can manifest itself in client-side and server-side components.

=== Server-side HPP ===
 
To test for HPP vulnerabilities, identify any form or action that allows user-supplied input. Query string parameters in HTTP GET requests are easy to tweak in the navigation bar of the browser. If the form action submits data via POST, the tester will need to use an intercepting proxy to tamper with the POST data as it is sent to the server.
Having identified a particular input parameter to test, one can edit the GET or POST data by intercepting the request, or change the query string after the response page loads. To test for HPP vulnerabilities simply append the same parameter to the GET or POST data but with a different value assigned.

For example: if testing the <code>search_string</code> parameter in the query string, the request URL would include that parameter name and value.
 <code>http://example.com/?search_string=kittens</code>
 
The particular parameter might be hidden among several other parameters, but the approach is the same; leave the other parameters in place and append the duplicate.
 
<code>http://example.com/?mode=guest&search_string=kittens&num_results=100</code>
 
Append the same parameter with a different value
 
<code>http://example.com/?mode=guest&search_string=kittens&num_results=100&search_string=puppies</code>
 
and submit the new request.

Analyze the response page to determine which value(s) were parsed. In the above example, the search results may show <code>kittens</code>, <code>puppies</code>, some combination of both (<code>kittens,puppies</code> or <code>kittens~puppies</code> or <code>['kittens','puppies']</code>), may give an empty result, or error page.
 
This behavior, whether using the first, last, or combination of input parameters with the same name, is very likely to be consistent across the entire application. Whether or not this default behavior reveals a potential vulnerability depends on the specific input validation and filtering specific to a particular application. As a general rule: if existing input validation and other security mechanisms are sufficient on single inputs, and if the server assigns only the first or last polluted parameters, then parameter pollution does not reveal a vulnerability. If the duplicate parameters are concatenated, different web application components use different occurrences or testing generates an error, there is an increased likelihood of being able to use parameter pollution to trigger security vulnerabilities.

A more in-depth analysis would require three HTTP requests for each HTTP parameter:
# Submit an HTTP request containing the standard parameter name and value, and record the HTTP response. E.g. <code>page?par1=val1</code>
# Replace the parameter value with a tampered value, submit and record the HTTP response. E.g. <code>page?par1=HPP_TEST1</code>
# Send a new request combining step (1) and (2). Again, save the HTTP response. E.g. <code>page?par1=val1&par1=HPP_TEST1</code>
# Compare the responses obtained during all previous steps. If the response from (3) is different from (1) and the response from (3) is also different from (2), there is an impedance mismatch that may be eventually abused to trigger HPP vulnerabilities.

Crafting a full exploit from a parameter pollution weakness is beyond the scope of this text. See the references for examples and details.

=== Client-side HPP ===
 
Similarly to server-side HPP, manual testing is the only reliable technique to audit web applications in order to detect parameter pollution vulnerabilities affecting client-side components. While in the server-side variant the attacker leverages a vulnerable web application to access protected data or perform actions that either not permitted or not supposed to be executed, client-side attacks aim at subverting client-side components and technologies.
 
To test for HPP client-side vulnerabilities, identify any form or action that allows user input and shows a result of that input back to the user. A search page is ideal, but a login box might not work (as it might not show an invalid username back to the user).

Similarly to server-side HPP, pollute each HTTP parameter with <code>%26HPP_TEST</code> and look for ''url-decoded'' occurrences of the user-supplied payload:
* <code>&HPP_TEST</code>
* <code><tt>&amp;HPP_TEST</tt></code>
* … and others

In particular, pay attention to responses having HPP vectors within <code>data</code>, <code>src</code>, <code>href</code> attributes or forms actions. Again, whether or not this default behavior reveals a potential vulnerability depends on the specific input validation, filtering and application business logic.
In addition, it is important to notice that this vulnerability can also affect query string parameters used in XMLHttpRequest (XHR), runtime attribute creation and other plugin technologies (e.g. Adobe Flash’s flashvars variables).

== References ==
'''Whitepapers''' 
HTTP Parameter Pollution - Luca Carettoni, Stefano di Paola [https://www.owasp.org/images/b/ba/AppsecEU09_CarettoniDiPaola_v0.8.pdf]

Split and Join (Bypassing Web Application Firewalls with HTTP Parameter Pollution) - Lavakumar Kuppan [http://www.andlabs.org/whitepapers/Split_and_Join.pdf]

Client-side Http Parameter Pollution Example (Yahoo! Classic Mail flaw) - Stefano di Paola [http://blog.mindedsecurity.com/2009/05/client-side-http-parameter-pollution.html]

How to Detect HTTP Parameter Pollution Attacks - Chrysostomos Daniel [http://www.acunetix.com/blog/whitepaper-http-parameter-pollution/]

CAPEC-460: HTTP Parameter Pollution (HPP) - Evgeny Lebanidze [http://capec.mitre.org/data/definitions/460.html]

Automated Discovery of Parameter Pollution Vulnerabilities in Web Applications - Marco Balduzzi, Carmen Torrano Gimenez, Davide Balzarotti, Engin Kirda [http://www.iseclab.org/people/embyte/papers/hpp.pdf]

 
'''Tools''' 
OWASP ZAP HPP Passive/Active Scanners [https://code.google.com/p/zap-extensions/wiki/V1Extensions]

HPP Finder (Chrome Plugin) [https://chrome.google.com/webstore/detail/hpp-finder]

Testing for MS Access

2013-08-26T06:30:44Z

Luca Carettoni:

{{Template:OWASP Testing Guide v4}}

== Short Description of the Issue ==
This article describes how to exploit SQL Injection vulnerabilities when the
backend database is MS Access. In particular, the article focuses on how to exploit Blind SQL Injection.
After an initial introduction on the typical functions that are useful to exploit a SQL Injection vulnerability,
a method to exploit Blind SQL Injection will be discussed.

== Black Box testing and example ==

=== Standard Test ===
First of all, let's show a typical example of SQL error that can encounter when
a test is executed:

Fatal error: Uncaught exception 'com_exception' with message 'Source: Microsoft JET Database Engine Description:

That means that maybe we are testing an application with an MS Access Database backend.

Unfortunately, MS Access doesn't support any comment character in the SQL query,
so it is not possible to use the trick of inserting the characters /* or -- or # to truncate the query. On the other hand, we can fortunately bypass this limit with the NULL character. If we insert the char %00 at some place in
the query, all the remaining characters after the NULL are ignored. That happens
because, internally, strings are NULL terminated.
However, the NULL character can sometimes cause troubles. We can notice that there is another value that can be used in order to truncate the query.
The character is 0x16 (%16 in URL encoded format) or 22 in decimal. So if we have the following query:

SELECT [username],[password] FROM users WHERE [username]='$myUsername' AND [password]='$myPassword'

we can truncate the query with the following two URLs:

http://www.example.com/index.php?user=admin'%00&pass=foo
http://www.example.com/index.php?user=admin'%16&pass=foo

==== Attributes enumeration ====
In order to enumerate the attributes of a query, it is possible to use the same method used for the database
MS SQL Server. In short, we can obtain the name of the attributes by error messages. For example,
if we know the existence of a parameter because we got it by an error message due to the
' character, we can also know the name of the remaining attributes with the following query:

' GROUP BY Id%00

In the error message received we can see that the name of the next attribute is shown. We iterate the
method until we obtain the name of all the attributes. If we don't know the name of at least
one attribute, we can insert a fictitious column name, and, just like by magic, we obtain the name of
the first attribute.

==== Obtaining Database Schema ====
Various tables exist in MS Access that can be used to obtain the name of a table in a
particular database. In the default configuration these tables are not accessible, however it's
possible to try it. The names of these table are:

* MSysObjects
* MSysACEs
* MSysAccessXML

For example, if a union SQL injection vulnerability exists, you can use the following query:

' UNION SELECT Name FROM MSysObjects WHERE Type = 1%00

These are the main steps that you can use to exploit a SQL injection vulnerability on
MS Access. There are also some functions that can be useful to exploit custom
queries. Some of these functions are:

* ASC: Obtain the ASCII value of a character passed as input
* CHR: Obtain the character of the ASCII value passed as input
* LEN: Return the length of the string passed as parameter
* IIF: Is the IF construct, for example the following statement IIF(1=1, 'a', 'b') return 'a'
* MID: This function allows you to extract substring, for example the following statement mid('abc',1,1) return 'a'
* TOP: This function allows you to specify the maximum number of results that the query should return from the top. For example TOP 1 will return only 1 row.
* LAST: This function is used to select only the last row of a set of rows. For example the following query SELECT last(*) FROM users will return only the last row of the result.

Some of these functions will be used to exploit a blind SQL injection as we see in the next
paragraph. For other functions please refer to References.

=== Blind SQL Injection testing ===
[[Blind SQL Injection]] vulnerabilities are by no means the most frequent type of vulnerability
that you will find. Generally, you find an SQL injection in a parameter where no union
query is possible. Also, usually, there is no chance to execute shell commands or to read/write
a file. All you can do is infer the result of your query. For our test we take the
following example:

http://www.example.com/index.php?myId=[sql]

where the id parameter is used in the following query:

SELECT * FROM orders WHERE [id]=$myId

For our test, we will consider the myId parameter vulnerable to blind SQL injection.
We want to extract the content of the table users, in particular, of the column
username (we have already seen how to obtain the name of the attributes thanks
to the error messages and other techniques). It is supposed that the reader already knows the theory behind
the blind SQL injection attack, so we go straight to show some examples. A typical query that
can be used to infer the first character of the username of the 10th rows is:

http://www.example.com/index.php?id=IIF((select%20mid(last(username),1,1)%20from%20(select%20top%2010%20username%20from%20users))='a',0,'ko')

If the first character is 'a', this query will return a 0 (a "true response"), otherwise a
'ko' string. Now we will explain why we have used this particular query.
The first thing to point out is that with the functions IFF, MID and LAST, we extract the first
character of the username of the selected row. Unfortunately, the original query returns a set of records and not only one record, so we can't use this methodology directly. We must first select only one row. We can use the TOP function, but it only works with the first row. To select the other
queries we must use a trick. We want to infer the username of the row number 10.
First we use the TOP function to select the first ten rows with the query:

SELECT TOP 10 username FROM users

Then, we extract from this set the last row with the function LAST. Once we have only one row and
exactly the row that we want, we can use the IFF, MID and LAST functions to infer the value
of the username.
It may be interesting to note the use of the IFF function. In our example we use IFF to return a number or a string. With this trick we can distinguish when we have a true response or not. This is because id is of a numeric type, so if we compare it with a string we obtain a SQL error, otherwise with the 0 value we have no errors. Of course if the parameter was of type string we can use different values. For example, we can have the following query:

http://www.example.com/index.php?id='%20AND%201=0%20OR%20'a'=IIF((select%20mid(last(username),1,1)%20from%20(select%20top%2010%20username%20from%20users))='a','a','b')%00

that returns a query that is always true if the first character is 'a' or a query that is always false in the other case.

This method allows us to infer the value of the username. To understand when we have
obtained the complete value we have two choices:

# We try all the printable values; when no one is valid then we have the complete value.
# We can infer the length of the value (if it's a string value we can use the LEN function) and stop when we have found all the characters.

== Tricks ==
Sometimes we are blocked by some filtering function. Here we see some tricks to bypass these filters.

=== Alternative Delimiter ===
Some filters strip away the space from the input string. We can bypass these filters using
the following values as delimiter instead of the white space:

'''
9
a
c
d
20
2b
2d
3d
'''

For example we can execute the following query:

http://www.example.com/index.php?username=foo%27%09or%09%271%27%09=%09%271

to bypass a hypothetical login form.

== References ==
'''Whitepapers''' 
* http://www.techonthenet.com/access/functions/index_alpha.php
* http://nibblesec.org/files/MSAccessSQLi/MSAccessSQLi.html

Testing for HTTP Parameter pollution (OTG-INPVAL-004)

2013-08-26T06:26:56Z

Luca Carettoni:

{{Template:OWASP Testing Guide v4}}

== Brief Summary ==
 
Supplying multiple HTTP parameters with the same name may cause an application to interpret values in unanticipated ways. By exploiting these effects, an attacker may be able to bypass input validation, trigger application errors or modify internal variables values. As HTTP Parameter Pollution (in short ''HPP'') affects a building block of all web technologies, server and client side attacks exist.
 
== Description of the Issue ==
 

Current HTTP standards do not include guidance on how to interpret multiple input parameters with the same name. For instance, [http://www.ietf.org/rfc/rfc3986.txt RFC 3986] simply defines the ''Query String'' as a series of field-value pairs and [http://www.ietf.org/rfc/rfc2396.txt RFC 2396] defines classes of reversed and unreserved characters. Without a standard in place, web application components handle this edge case in a variety of ways (see the table below for details).
By itself, this is not necessarily an indication of vulnerability. However, if the developer is not aware of the problem, the presence of duplicated parameters may produce an anomalous behavior in the application that can be potentially exploited by an attacker. As often in security, unexpected behaviors are a usual source of weaknesses that could lead to HTTP Parameter Pollution attacks in this case.

To better introduce this class of vulnerabilities and the outcome of HPP attacks, it is interesting to analyze some real-life vulnerabilities that have been discovered in the past.

=== Input Validation and filters bypass ===
 
In 2009, immediately after the publication of the first research on HTTP Parameter Pollution, this technique received large attention from the security community as a possible way to bypass web application firewalls.

One of these flaws, affecting ''ModSecurity SQL Injection Core Rules'', represents a perfect example of the impedance mismatch between applications and filters. The ModSecurity filter would correctly blacklist the following string: <code>select 1,2,3 from table</code>, thus blocking this example URL from being processed by the web server: <code>/index.aspx?page=select 1,2,3 from table</code>. However, by exploiting the concatenation of multiple HTTP parameters, an attacker could cause the application server to concatenate the string after the ModSecurity filter already accepted the input. As an example, the URL <code>/index.aspx?page=select 1&page=2,3</code> from table would not trigger the ModSecurity filter, yet the application layer would concatenate the input back into the full malicious string.

Another HPP vulnerability turned out to affect ''Apple Cups'', the well-known printing system used by many UNIX systems. Exploiting HPP, an attacker could easily trigger a Cross-Site Scripting vulnerability using the following URL: <code>http://127.0.0.1:631/admin/?kerberos=onmouseover=alert(1)&kerberos</code>. The application validation checkpoint could be bypassed by adding an extra <code>kerberos</code> argument having a valid string (e.g. empty string). As the validation checkpoint would only consider the second occurrence, the first <code>kerberos</code> parameter was not properly sanitized before being used to generate dynamic HTML content. Successful exploitation would result in Javascript code execution under the context of the hosting web site.
 

=== Authentication bypass ===
 
An even more critical HPP vulnerability was discovered in ''Blogger'', the popular blogging platform. The bug allowed malicious users to take ownership of the victim’s blog by using the following HTTP request:

<code>
POST /add-authors.do HTTP/1.1

security_token=attackertoken&blogID=attackerblogidvalue&blogID=victimblogidvalue&authorsList=goldshlager19test%40gmail.com(attacker email)&ok=Invite
</code>

The flaw resided in the authentication mechanism used by the web application, as the validation was performed on the first parameter, whereas the actual operation used the second occurrence.
 

===Expected Behavior by Application Server===
 
The following table illustrates how different web technologies behave in presence of multiple occurrences of the same HTTP parameter.

Given the URL and querystring: <code>http://example.com/?color=red&color=blue</code>
{|
|-
! Web Application Server Backend !! Parsing Result !! Example
|-
| ASP.NET / IIS || All occurrences concatenated with a comma || color=red,blue
|-
| ASP / IIS || All occurrences concatenated with a comma|| color=red,blue
|-
| PHP / Apache || Last occurrence only || color=blue
|-
| PHP / Zeus || Last occurrence only || color=blue
|-
| JSP, Servlet / Apache Tomcat || First occurrence only || color=red
|-
| JSP, Servlet / Oracle Application Server 10g || First occurrence only || color=red
|-
| JSP, Servlet / Jetty || First occurrence only || color=red
|-
| IBM Lotus Domino || Last occurrence only || color=blue
|-
| IBM HTTP Server || First occurrence only || color=red
|-
| mod_perl, libapreq2 / Apache || First occurrence only || color=red
|-
| Perl CGI / Apache || First occurrence only || color=red
|-
| mod_wsgi (Python) / Apache || First occurrence only || color=red
|-
| Python / Zope || All occurrences in List data type || color=['red','blue']
|}
(source: [[Media:AppsecEU09_CarettoniDiPaola_v0.8.pdf]] )
 
== Black Box testing and example ==
 
Luckily, because the assignment of HTTP parameters is typically handled via the web application server, and not the application code itself, testing the response to parameter pollution should be standard across all pages and actions. However, as in-depth business logic knowledge is required, testing HPP requires manual testing and automatic tools can only partially assist auditors. In addition, HPP can manifest itself in client-side and server-side components.

=== Server-side HPP ===
 
To test for HPP vulnerabilities, identify any form or action that allows user-supplied input. Query string parameters in HTTP GET requests are easy to tweak in the navigation bar of the browser. If the form action submits data via POST, the tester will need to use an intercepting proxy to tamper with the POST data as it is sent to the server.
Having identified a particular input parameter to test, one can edit the GET or POST data by intercepting the request, or change the query string after the response page loads. To test for HPP vulnerabilities simply append the same parameter to the GET or POST data but with a different value assigned.

For example: if testing the <code>search_string</code> parameter in the query string, the request URL would include that parameter name and value.
 <code>http://example.com/?search_string=kittens</code>
 
The particular parameter might be hidden among several other parameters, but the approach is the same; leave the other parameters in place and append the duplicate.
 
<code>http://example.com/?mode=guest&search_string=kittens&num_results=100</code>
 
Append the same parameter with a different value
 
<code>http://example.com/?mode=guest&search_string=kittens&num_results=100&search_string=puppies</code>
 
and submit the new request.

Analyze the response page to determine which value(s) were parsed. In the above example, the search results may show <code>kittens</code>, <code>puppies</code>, some combination of both (<code>kittens,puppies</code> or <code>kittens~puppies</code> or <code>['kittens','puppies']</code>), may give an empty result, or error page.
 
This behavior, whether using the first, last, or combination of input parameters with the same name, is very likely to be consistent across the entire application. Whether or not this default behavior reveals a potential vulnerability depends on the specific input validation and filtering specific to a particular application. As a general rule: if existing input validation and other security mechanisms are sufficient on single inputs, and if the server assigns only the first or last polluted parameters, then parameter pollution does not reveal a vulnerability. If the duplicate parameters are concatenated, different web application components use different occurrences or testing generate an error, there is an increased likelihood of being able to use parameter pollution to trigger security vulnerabilities.

A more in-depth analysis would require three HTTP requests for each HTTP parameter:
# Submit an HTTP request containing the standard parameter name and value, and record the HTTP response. E.g. <code>page?par1=val1</code>
# Replace the parameter value with a tampered value, submit and record the HTTP response. E.g. <code>page?par1=HPP_TEST1</code>
# Send a new request combining step (1) and (2). Again, record the HTTP responses. E.g. <code>page?par1=val1&par1=HPP_TEST1</code>
# Compare the responses obtained during all previous steps. If the response from (3) is different from (1) and the response from (3) is also different from (2), there is an impedance mismatch that may be eventually abused to trigger HPP vulnerabilities.

Crafting a full exploit from a parameter pollution weakness is beyond the scope of this text. See the references for examples and details.

=== Client-side HPP ===
 
Similarly to server-side HPP, manual testing is the only reliable technique to audit web applications in order to detect parameter pollution vulnerabilities affecting client-side components. While in the server-side variant the attacker leverages a vulnerable web application to access protected data or perform actions that either not permitted or not supposed to be executed, client-side attacks aims at tampering client-side components and technologies.
 
To test for HPP client-side vulnerabilities, identify any form or action that allows user input and shows a result of that input back to the user. A search page is ideal, but a login box might not work (as it might not show an invalid username back to the user).

Similarly to server-side HPP, pollute each HTTP parameter with <code>%26HPP_TEST</code> and look for ''url-decoded'' occurrences of the user-supplied payload:
* <code>&HPP_TEST</code>
* <code><tt>&amp;HPP_TEST</tt></code>
* … and others

In particular, pay attention to responses having HPP vectors within <code>data</code>, <code>src</code>, <code>href</code> attributes or forms actions. Again, whether or not this default behavior reveals a potential vulnerability depends on the specific input validation, filtering and application business logic.
In addition, it is important to notice that this vulnerability can also affect query string parameters used in XMLHttpRequest (XHR), runtime attribute creation and other plugin technologies (e.g. Adobe Flash’s flashvars variables).

== References ==
'''Whitepapers''' 
HTTP Parameter Pollution - Luca Carettoni, Stefano di Paola [https://www.owasp.org/images/b/ba/AppsecEU09_CarettoniDiPaola_v0.8.pdf]

Split and Join (Bypassing Web Application Firewalls with HTTP Parameter Pollution) - Lavakumar Kuppan [http://www.andlabs.org/whitepapers/Split_and_Join.pdf]

Client-side Http Parameter Pollution Example (Yahoo! Classic Mail flaw) - Stefano di Paola [http://blog.mindedsecurity.com/2009/05/client-side-http-parameter-pollution.html]

How to Detect HTTP Parameter Pollution Attacks - Chrysostomos Daniel [http://www.acunetix.com/blog/whitepaper-http-parameter-pollution/]

CAPEC-460: HTTP Parameter Pollution (HPP) - Evgeny Lebanidze [http://capec.mitre.org/data/definitions/460.html]

Automated Discovery of Parameter Pollution Vulnerabilities in Web Applications - Marco Balduzzi, Carmen Torrano Gimenez, Davide Balzarotti, Engin Kirda [http://www.iseclab.org/people/embyte/papers/hpp.pdf]

 
'''Tools''' 
OWASP ZAP HPP Passive/Active Scanners [https://code.google.com/p/zap-extensions/wiki/V1Extensions]

HPP Finder (Chrome Plugin) [https://chrome.google.com/webstore/detail/hpp-finder]