Apache Security - Ivan Ristic [159]
To prevent injection attacks, a programmer needs to perform four steps:
Identify system components
Identify metacharacters for each component
Validate data on input of every component (e.g., to ensure a variable contains an email address, if it should)
Transform data on input of every component to neutralize metacharacters (e.g., to neutralize the ampersand character (&) that appears in user data and needs to be a part of an HTML page, it must be converted to &)
Data validation and transformation should be automated wherever possible. For example, if transformation is performed in each script then each script is a potential weak point. But if scripts use an intermediate library to retrieve user input and the library contains functionality to handle data validation and transformation, then you only need to make sure the library works as expected. This principle can be extended to cover all data manipulation: never handle data directly, always use a library.
The metacharacter problem can be avoided if control information is transported independently from data. In such cases, special characters that occur in data lose all their powers, transformation is unnecessary and injection attacks cannot succeed. The use of prepared statements to interact with a database is one example of control information and data separation.
Buffer Overflows
Buffer overflow occurs when an attempt is made to use a limited-length buffer to store a larger piece of data. Because of the lack of boundary checking, some amount of data will be written to memory locations immediately following the buffer. When an attacker manipulates program input, supplying specially crafted data payload, buffer overflows can be used to gain control of the application.
Buffer overflows affect C-based languages. Since most web applications are scripted (or written in Java, which is not vulnerable to buffer overflows), they are seldom affected by buffer overflows. Still, a typical web deployment can contain many components written in C:
Web servers, such as Apache
Custom Apache modules
Application engines, such as PHP
Custom PHP modules
CGI scripts written in C
External systems
Note that external systems such as databases, mail servers, directory servers and other servers are also often programmed in C. That the application itself is scripted is irrelevant. If data crosses system boundaries to reach the external system, an attacker could exploit a vulnerability.
A detailed explanation of how buffer overflows work falls outside the scope of this book. Consult the following resources to learn more:
The Shellcoder's Handbook: Discovering and Exploiting Security Holes by Jack Koziol et al. (Wiley)
"Practical Code Auditing" by Lurene A. Grenier (http://www.daemonkitty.net/lurene/papers/Audit.pdf)
"Buffer Overflows Demystified" by Murat Balaban (http://www.enderunix.org/docs/eng/bof-eng.txt)
"Smashing The Stack For Fun And Profit" by Aleph One (http://www.insecure.org/stf/smashstack.txt)
"Advanced Doug Lea's malloc exploits" by jp@corest.com (http://www.phrack.org/phrack/61/p61-0x06_Advanced_malloc_exploits.txt)
"Taking advantage of nonterminated adjacent memory spaces" by twitch@vicar.org (http://www.phrack.org/phrack/56/p56-0x0e)
Evasion Techniques
Intrusion detection systems (IDSs) are an integral part of web application security. In Chapter 9, I introduced web application firewalls (also covered in Chapter 12), whose purpose is to detect and reject malicious requests.
Most web application firewalls are signature-based. This means they monitor HTTP traffic looking for signature matches, where this type of "signature" is a pattern that suggests an attack. When a request is matched against a signature, an action is taken (as specified by the configuration). But if an attacker modifies the attack payload in some way to have the same meaning for the target but not