Difference between revisions of "Resource Injection"

From OWASP
Jump to: navigation, search
Line 1: Line 1:
Resource Injection
+
{{Template:Attack}}
 +
{{Template:Fortify}}
  
 +
==Abstract==
 +
 +
Allowing user input to control resource identifiers may enable an attacker to access or modify otherwise protected system resources.
  
 
==Description==
 
==Description==
  
This attack consists in allow a user to alter/pass resource identifiers may enabled an attacker access or modify another any system resources protected
+
A resource injection issue occurs when the following two conditions are met:
 
+
There are two conditions for this attack be realize, the first way is system resource identifier specified for an attacker; the second way is a attacker specifying a resource, take permission enough, thing that would not be possible.
+
 
+
Note: The resource injection attack involves resources stored on filesystem, like the path manipulation attack, even so they are separated by differenties categories, see path manipulation attack for more details this  technique
+
+
 
+
 
+
 
+
==External references==
+
http://samate.nist.gov/SRD/view_testcase.php?login=Guest&tID=1734
+
http://cwe.mitre.org/data/definitions/99.html
+
http://capec.mitre.org/data/index.html#Definition
+
http://www.fortifysoftware.com/vulncat/
+
 
+
G. Hoglund and G. McGraw. Exploiting Software. Addison-Wesley, 2004.
+
 
+
 
+
  
 +
# An attacker can specify the identifier used to access a system resource. For example, an attacker might be able to specify part of the name of a file to be opened or a port number to be used.
 +
# By specifying the resource, the attacker gains a capability that would not otherwise be permitted. For example, the program may give the attacker the ability to overwrite the specified file or run with a configuration controlled by the attacker.
  
 
==Examples ==
 
==Examples ==
  
‘’Example 1’’
+
===Example 1===
  
This is code is a java class whose is vulnerable to a resource injection:
+
The following Java code uses input from an HTTP request to create a file name. The programmer has not considered the possibility that an attacker could provide a file name such as "../../tomcat/conf/server.xml", which causes the application to delete one of its own configuration files.
1. #import java.io.*;
+
2.
+
3. #public class ResourceInjection {
+
4.        
+
5. #    private static void test() {
+
6.
+
7. #        String fileName = null;
+
8. #        int    checkInteger  = 0;
+
9. #
+
10. #        try {
+
11. #            BufferedReader inStream = new BufferedReader (
+
12. #                                          new InputStreamReader(System.in) );
+
13. #           
+
14. #            System.out.print("Please enter a filename: ");
+
15. #            fileName = inStream.readLine();
+
16. #         
+
17. #        }  catch (IOException e) {
+
18. #            System.out.println("IOException: " + e);
+
19. #            return;
+
20. #        }
+
21. #   
+
22. #        File myFile = new File("/var/tmp/" + fileName);
+
23. #       
+
24. #        if (myFile.delete())
+
25. #            System.out.println ("deleted file");
+
26. #
+
27. #       
+
28. #    }
+
29. #
+
30. #    public static void main(String[] args) {
+
31. #        test();
+
32. #    }
+
33. #}
+
Pay attention to line 15, the variable “fileName” received a name of file from user, in the line 22 is deleted a file whose has the name like a value of the “fileName”.
+
Suppose the user pass like parameter for “FileName” this value: “../../tomcat/conf/*.xml” the system will execute the operation with this file and to become inactive.
+
  
 +
<pre>
 +
String rName = request.getParameter("reportName");
 +
File rFile = new File("/usr/local/apfr/reports/" + rName);
 +
...
 +
rFile.delete();
 +
</pre>
  
 +
===Example 2===
  
 +
The following C++ code uses input from the command line to determine which file to open and echo back to the user. If the program runs with privileges and malicious users can create soft links to the file, they can use the program to read the first part of any file on the system.
  
 +
<pre>
 +
ifstream ifs(argv[0]);
 +
string s;
 +
ifs >> s;
 +
cout << s;
 +
</pre>
  
‘’Example 2’’
+
The kind of resource the data affects indicates the kind of content that may be dangerous. For example, data containing special characters like period, slash, and backslash, are risky when used in methods that interact with the file system. (Resource injection, when it is related to file system resources, sometimes goes by the name "path manipulation.") Similarly, data that contains URLs and URIs is risky for functions that create remote connections.
 
+
The following code uses a port number read from a CGI request to create a socket.
+
  ...
+
  char* rPort = getenv("rPort");
+
  ...
+
  serv_addr.sin_port = htons(atoi(rPort));
+
  if (connect(sockfd,&serv_addr,sizeof(serv_addr)) < 0)
+
  error("ERROR connecting");
+
  ...
+
 
+
The kind of content that may be dangerous depending to the kind of resource that the user specify on the input. For example, data containing special characters like “.”, “/”, “\” may be represent some dangerous when used in operations that interact with the filesystem. In the same way that data contains URLs may create remote connections
+
 
+
 
+
‘’Exampe 3’’
+
This java class used in a input from an HTTP request delete a file. The developer has not considered the possibility that an attacker modify a file name like ass  "../../tomcat/conf/server.xml", which causes the application will not function
+
String rName = request.getParameter("reportName");
+
File rFile = new File("/usr/local/apfr/reports/" + rName);
+
...
+
rFile.delete();
+
________________________________________
+
 
+
‘’Example 4’’
+
This code uses a input file name from command line to specify which file to open end echo back to the user. If the user specify any soft link to the files, they can use the program to read the first party of any file on the system
+
C++ Example:
+
ifstream ifs(argv[0]);
+
string s;
+
ifs >> s;
+
cout << s;
+
 
+
 
+
  
 
==Related Threats==
 
==Related Threats==
 
 
  
 
==Related Attacks==
 
==Related Attacks==
Path Manipulation
 
Injection Attacks
 
 
  
 
==Related Vulnerabilities==
 
==Related Vulnerabilities==
Category:Input Validation Vulnerability
+
[[:Category:Input Validation Vulnerability]]
 
+
  
 
==Related Countermeasures==
 
==Related Countermeasures==
Category:Input Validation
+
[[:Category:Input Validation]]
 
+
 
+
  
 
==Categories==
 
==Categories==
 +
[[Category:Injection Attack]]
 +
[[Category:Java]]
 +
[[Category:Code Snippet]]
 +
[[Category:Implementation]]

Revision as of 13:25, 4 July 2007

This is an Attack. To view all attacks, please see the Attack Category page.


This article includes content generously donated to OWASP by Fortify.JPG.

Abstract

Allowing user input to control resource identifiers may enable an attacker to access or modify otherwise protected system resources.

Description

A resource injection issue occurs when the following two conditions are met:

  1. An attacker can specify the identifier used to access a system resource. For example, an attacker might be able to specify part of the name of a file to be opened or a port number to be used.
  2. By specifying the resource, the attacker gains a capability that would not otherwise be permitted. For example, the program may give the attacker the ability to overwrite the specified file or run with a configuration controlled by the attacker.

Examples

Example 1

The following Java code uses input from an HTTP request to create a file name. The programmer has not considered the possibility that an attacker could provide a file name such as "../../tomcat/conf/server.xml", which causes the application to delete one of its own configuration files.

	String rName = request.getParameter("reportName");
	File rFile = new File("/usr/local/apfr/reports/" + rName);
	...
	rFile.delete();

Example 2

The following C++ code uses input from the command line to determine which file to open and echo back to the user. If the program runs with privileges and malicious users can create soft links to the file, they can use the program to read the first part of any file on the system.

	ifstream ifs(argv[0]);
	string s;
	ifs >> s;
	cout << s;

The kind of resource the data affects indicates the kind of content that may be dangerous. For example, data containing special characters like period, slash, and backslash, are risky when used in methods that interact with the file system. (Resource injection, when it is related to file system resources, sometimes goes by the name "path manipulation.") Similarly, data that contains URLs and URIs is risky for functions that create remote connections.

Related Threats

Related Attacks

Related Vulnerabilities

Category:Input Validation Vulnerability

Related Countermeasures

Category:Input Validation

Categories