Server-Side Security
Attack Types
Malware Attacker (Client)
Malicious code executed directly on victimβs computer or browser (software bugs, malware, β¦).
ie. XSS, CSRF
Network Attacker (Network)
- passive wireless eavesdropper
- active evil wifi-router, dns poinsoning
Web Attacker (Server)
Attacker controls domain
attacker.com
with a valid TLS certificate that the user visits.
ie:
- gadget attacker html-iframe (embedded page) with malicious content
-
related-domain-attacker related domain of the target website, ie.
attacker.example.com
____________
File path traversal
Vulnerable code
Webserver with standard webroot:
/var/www/html(topmost directory, stores directory pages, some text files, PHP script itself)
.
<?php
echo file_get_contents("pages/" . $_GET["page"]);
?>Attack
Allows an attacker to read arbitrary files.
We can climb up with
../
, get access to any file on the web server.
GET /show.php?page=../../../etc/passwd HTTP/2
Host: example.comPrevention: Defense in Depth(choose multiple defense mechanisms)
- Not using user controlled input for filenames
-
Validating, filtering user input
only allow file names from static list
compare them with canonical path
example
<?php $pdir = "/var/www/html/pages/"; $file = realpath($pdir . $_GET["file"]); <- concatenates user input to path if ($file !== false && strncmp($file, $pdir, strlen($pdir)) === 0) { <- canonical path echo file_get_contents($file); } else { echo "Error: invalid input"; } ?>
-
Reduced web server privileges
- Restrict access of web server to its own directory
- Sandbox environments to enforce boundary between web server and the OS
Remote Code Execution RCE
Code & Command injection
Vulnerable code
Most languages have functions to execute system commands
system()
in PHP: processes function arguments as shell commands
uses
system
to ping an IP address provided by the user via the ip query variable
<?php
system("ping -c 4 " . $_GET["ip"] . " -i 1");
?>eval
automatically evaluates strings as PHP code
<?php
eval("echo " . $_GET["expr"] . ";");
?>Attack
Allows remote code execution, reading sensitive files.
;to combine multiple commands in a single line
#to commend out the rest
GET /ping.php?ip=8.8.8.8; cat /etc/passwd # HTTP/2
Host: example.comGET /calc.php?expr=file_get_contents example.com ('/etc/passwd') HTTP/2
Host: example.comPrevention
- not using functions that dynamically evaluate strings as code, execute commands - rewrite the code entirely
-
User input validation
escape all special characters with a special meaning for the interpreter (ie
;,#, .. for bash)
- Reduced web server privileges, sandbox environments
SQL injection
Not exclusively a web attack - Instance of a code injection vulnerability in the context of databases.
- read sensitive data
- damage the data integrity, drop tables, add / delete entries
First-Order Injections
User input as part of query. The user can directly change the query.
Reading Database Metadata
information_schema.tables
names of various tables
information_schema.columns
names, types, ... of various table columns
Second-Order Injections (Stored SQL injections)
Some applications validate user input but not data coming from the database.
- store payload in the database
- then use it to perform the attack
Prevention
prepared statements
<?php
$db = new PDO(CONNECTION_STRING, DB_USER, DB_PASS);
$query = "SELECT * FROM users WHERE user = ? AND password = ?"; // "?" as parameter
$sth = $db->prepare($query);
...
?>whitelisting approaches
Only when prepared statements cannot be used
(ie., when the input is the name of the table to be used inFROMorORDER BY)
Only allowing safe characters like letters, digits and underscore.
Defense-in-depth protection
Restricting access to sensitive tables (only when not required for functionality).