This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Comment Injection Attack"

From OWASP
Jump to: navigation, search
(Examples)
m (Added to Injection subcategory)
 
(27 intermediate revisions by 4 users not shown)
Line 1: Line 1:
 
{{Template:Attack}}
 
{{Template:Attack}}
 +
<br>
 +
[[Category:OWASP ASDR Project]]
 +
 +
 +
Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''
  
 
==Description==
 
==Description==
 
Comments injected into an application through input can be used to compromise a system. As data is parsed, an injected/malformed comment may cause the process to take unexpected actions that result in an attack.
 
Comments injected into an application through input can be used to compromise a system. As data is parsed, an injected/malformed comment may cause the process to take unexpected actions that result in an attack.
 +
 +
==Risk Factors==
 +
TBD
  
 
==Examples==
 
==Examples==
Line 10: Line 18:
 
'''Database:'''
 
'''Database:'''
  
If the attacker has the ability to manipulate queries, which are sent to the database, then he's able to inject a terminating
+
If the attacker has the ability to manipulate queries which are sent to the database, then he's able to inject a terminating
character too. The aftermath is that the interpretation of the query will be stoped at the terminating character:
+
character too. The aftermath is that the interpretation of the query will be stopped at the terminating character:
 
<pre>
 
<pre>
 
SELECT body FROM items WHERE id = $ID limit 1;
 
SELECT body FROM items WHERE id = $ID limit 1;
Line 23: Line 31:
 
SELECT body FROM items WHERE id = 1 or 1=1; # limit 1;
 
SELECT body FROM items WHERE id = 1 or 1=1; # limit 1;
 
</pre>
 
</pre>
After the '''#''' character everything will be discarded by the database including "''limit 1''". That's why only the last column "body" with all its records will be recived as a query response.
+
After the '''#''' character everything will be discarded by the database including "''limit 1''", so only the last column "body" with all its records will be received as a query response.
  
 
Sequences that may be used to comment queries:
 
Sequences that may be used to comment queries:
Line 35: Line 43:
 
To comment out some parts of the queries, the attacker may use the standard sequences, typical for a given language, or terminate
 
To comment out some parts of the queries, the attacker may use the standard sequences, typical for a given language, or terminate
 
the queries using his own methods being limited only by his imagination. An interesing example is a null byte method used to
 
the queries using his own methods being limited only by his imagination. An interesing example is a null byte method used to
comment out everything after the current query in MS Access databases. More information about it can be found in [[Embedding_Null_Code]] .
+
comment out everything after the current query in MS Access databases. More information about this can be found in [[Embedding Null Code]] .
  
 
'''Shell:'''
 
'''Shell:'''
Line 65: Line 73:
 
'''HTML (injection):'''
 
'''HTML (injection):'''
  
If there are no restrictions about who is able to insert comments,then using start comment tag:
+
If there are no restrictions about who is able to insert comments, then using the start comment tag:
 
<pre>
 
<pre>
 
<!--
 
<!--
Line 76: Line 84:
 
print "hello!: ";
 
print "hello!: ";
 
print $_GET['user'];
 
print $_GET['user'];
print " Welcome to Hell!";
+
print " Welcome friend!";
 
?>
 
?>
 
</pre>
 
</pre>
Line 88: Line 96:
 
</pre>
 
</pre>
  
References:
+
==Related [[Threat Agents]]==
 
+
TBD
* http://dev.mysql.com/doc/refman/5.0/en/comments.html
 
* http://www.webapptest.org/ms-access-sql-injection-cheat-sheet-EN.html
 
 
 
==Related Threats==
 
 
 
* [[:Category:Information Disclosure]]
 
 
 
==Related Attacks==
 
  
 +
==Related [[Attacks]]==
 
* [[Embedding_Null_Code]]
 
* [[Embedding_Null_Code]]
 
* [[Unicode Encoding]]
 
* [[Unicode Encoding]]
  
==Related Vulnerabilities==
+
==Related [[Vulnerabilities]]==
 
 
 
* [[:Category:Input Validation Vulnerability]]
 
* [[:Category:Input Validation Vulnerability]]
  
==Related Countermeasures==
+
==Related [[Controls]]==
 
 
 
* [[:Category: Input Validation]]
 
* [[:Category: Input Validation]]
 +
* [[Output Validation]]
 +
* [[Canonicalization]]
  
Developers should anticipate that comments will be injected/removed/manipulated in the input vectors of their software
+
==References==
system. Use an appropriate combination of black lists and white lists to ensure only valid, expected and appropriate input is processed by the system.
+
* http://dev.mysql.com/doc/refman/5.0/en/comments.html
 +
* http://www.webapptest.org/ms-access-sql-injection-cheat-sheet-EN.html
  
==Categories==
+
[[Category:FIXME|please check the second link]]
  
 +
[[Category:Injection]]
 
[[Category:Resource Manipulation]]
 
[[Category:Resource Manipulation]]
 
 
[[Category:Attack]]
 
[[Category:Attack]]

Latest revision as of 23:12, 8 December 2011

This is an Attack. To view all attacks, please see the Attack Category page.



Last revision (mm/dd/yy): 12/8/2011

Description

Comments injected into an application through input can be used to compromise a system. As data is parsed, an injected/malformed comment may cause the process to take unexpected actions that result in an attack.

Risk Factors

TBD

Examples

The attacker may conduct this kind of attack with different programming or scripting languages:

Database:

If the attacker has the ability to manipulate queries which are sent to the database, then he's able to inject a terminating character too. The aftermath is that the interpretation of the query will be stopped at the terminating character:

SELECT body FROM items WHERE id = $ID limit 1;

Let's assume that the attacker has sent via the GET method the following data stored in variable $ID:

"1 or 1=1; #"

In the end the final query form is:

SELECT body FROM items WHERE id = 1 or 1=1; # limit 1;

After the # character everything will be discarded by the database including "limit 1", so only the last column "body" with all its records will be received as a query response.

Sequences that may be used to comment queries:

  • MySQL:#, --
  • MS SQL: --
  • MS Access: %00 (hack!)
  • Oracle: --

Null byte:

To comment out some parts of the queries, the attacker may use the standard sequences, typical for a given language, or terminate the queries using his own methods being limited only by his imagination. An interesing example is a null byte method used to comment out everything after the current query in MS Access databases. More information about this can be found in Embedding Null Code .

Shell:

Shell (bash) also has the character #, which terminates interpretation.

For example:

find.php

<?
$ =sth $_GET['what];
system("/usr/bin/find -name '$sth' -type f");
?>

Using /find.php?what=*'%20%23 the attacker will bypass limitation "-type f" and this command:

/usr/bin/find -name '*' -type f

will become:

/usr/bin/find -name '*' #-type f

So the final form of the command is:

/usr/bin/find -name '*'

HTML (injection):

If there are no restrictions about who is able to insert comments, then using the start comment tag:

<!--

it's possible to comment out the rest of displayed content on the website.

invisible.php

<?php
print "hello!: ";
print $_GET['user'];
print " Welcome friend!";
?>

After:

GET /invisible.php?user=<!--

There result will be:

hello!:

Related Threat Agents

TBD

Related Attacks

Related Vulnerabilities

Related Controls

References