WebApp Sec mailing list archives
Re: New Whitepaper - "Second-order Code Injection Attacks"
From: Gunter Ollmann <gunter () ngssoftware com>
Date: Thu, 11 Nov 2004 17:49:12 +0000
Hi Jan, Jan P. Monsch wrote:
Thank you for your very interessting paper on "Second-Order Code Injection Attacks".
Cool - hopefully it useful to others as well.
Concerning your protection recommendations I think that they must supplemented: - An attack has a direction. For example SQL-Injection is a back-end directed attack. XSS in contrast is a front-end directed attack. To get the optimal protection it is necessary to prevent in direction of the attack. For SQL-Injection this results in input validation and for XSS this results in output encoding (' -> "e).
While correct for a large number of cases, this is not particularly true for second-order code injection attacks. For example, malicious SQL code may be injected into an address field, and only executed as part of a SQL query much later on a remote system (e.g. an analysis tool for shortest-path delivery routes). This may be extended such that the SQL injection's purpose is to force a ackend database (or helpdesk MDB file) to pull down more laicious code... basically XSS through SQL statements.
Sanitisation of "dangerous" characters such as single-quote is always to be recommended as the first port of call. However, there are more than 40 different (and commonly used) ways of encoding this character that are effective on UK-English/US-English/International-English formats... this expands more when dealing with other language systems.
- I think that removing characters does often not meet complex business requirements (Think of family names like D'Amato). An backend application does often not know which other applications are dependant on that data. So every component using data must protect itself. Especially in case of HTML GUIs the application must perform output encoding.
This is correct - but you have to start somewhere. There most certainly isn't a "silver bullet" for handling particular groups of dangerous characters.
- When auditing XML based application it must be verified that the XML documents encode the content properly.
Easier said than done. The process of verifying that XML documents are encode properly may actually intruce yet another vulnerable layer to the application.
-- ------------------------------------------------------ G u n t e r O l l m a n n, MSc(Hons), BSc Professional Services Director Next Generation Security Software Ltd. First Floor, 52 Throwley Way Tel: +44 (0)208 401 0089 Sutton, Surrey, SM1 4BF, UK http://www.nextgenss.com Fax: +44 (0)208 401 0076 ------------------------------------------------------
Current thread:
- Re: New Whitepaper - "Second-order Code Injection Attacks" Jeff Williams (Nov 05)
- RE: New Whitepaper - "Second-order Code Injection Attacks" Gunter Ollmann (NGS) (Nov 05)
- <Possible follow-ups>
- Re: New Whitepaper - "Second-order Code Injection Attacks" Jan P. Monsch (Nov 11)
- Re: New Whitepaper - "Second-order Code Injection Attacks" Gunter Ollmann (Nov 11)
- Re: New Whitepaper - "Second-order Code Injection Attacks" Rogan Dawes (Nov 12)
- RE: New Whitepaper - "Second-order Code Injection Attacks" Mark Curphey (Nov 14)
- Re: New Whitepaper - "Second-order Code Injection Attacks" Stephen de Vries (Nov 20)
- Re: New Whitepaper - "Second-order Code Injection Attacks" Gunter Ollmann (Nov 11)