Home



Blog


Burp suite


Burp intruder


Burp proxy


Burp spider


Burp sequencer


Burp repeater


Books


Misc



RSS




Search site


Blog

Showing posts with label input. Show all posts
Showing posts with label input. Show all posts

Wednesday, 11 April 2007

Out-of-band input channels

When we think about attacking web applications, it is natural to focus on the core means by which we can interact with a target application - that is, using HTTP requests generated by a web browser or other client software. In many applications, however, there are other channels through which we can introduce our input into the application’s processing. These out-of-band channels represent a significant, and often buggy, area of attack surface.

Here are some examples in applications which I have encountered:

  • Web mail applications, in which data received via SMTP is processed by the application and ultimately rendered in-browser to other users.

  • A web interface to a network monitoring solution, in which data sniffed off the wire in a large number of different protocols is collated by the application and displayed in various forms.

  • Portal applications which use RSS mash-ups to render data retrieved from third parties.

  • A web authoring application which allows users to import external web pages by specifying a URL; the application retrieves these via HTTP and processes the contents.

Another example, which I have not encountered and which probably falls into the category of bar-room apocrypha, concerned an application used to process the photographed images of speeding motorists. Reputedly, the application used OCR to read the car’s registration number, and placed this into a SQL query to update its records. Of course, it was vulnerable to SQL injection, but this could only be exploited by printing your attack string onto a registration plate and then driving quickly past a camera. Furthermore, the bug was completely blind, with minimal opportunities for retrieving the results of an arbitrary query. It was mooted that time delays might provide a solution - for example, by triggering very long conditional delays and monitoring the time taken to receive a ticket. However, with only 12 available points on your license, retrieving one bit of data at a time is unlikely to succeed. In this situation, therefore, perhaps the most effective PoC attack string would be:

'; drop table offenders--

Posted by PortSwigger at 20:48 0 comments
Labels: ,
Subscribe to: Posts (Atom)
 

Copyright (c) 2007 PortSwigger. All rights reserved.