F5 Security on Owasp Top 10: Injections
->Part of the F5/Owasp Top Ten Series
At the top of the Owasp list is Injections. Their definition is
“Injection flaws, such as SQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing unauthorized data. “
Long story short, it’s is allowing unsanitized input into a program field that has the potential for execution. (which is darn near everywhere these days)
Everyone knows the story of little bobby:
In all honesty, I thought that Bobby’s Mom had a very valid point.
Let’s Inject:
Basic injection attacks are fairly simple to perform. We find an input parameter and try to send it something nefarious. In my labs, I’ve got a nice little auction site up and running. Everyone loves an auction.
To bid on items, of course, you need to be authenticated. Well, being the evilHacker, I want to get in without using my credentials. This is where the injection comes in. Using either passive intelligence gathering or just guessing due to the common usages, I decide to try a simple SQL-Injection attack:
The input we are injecting into is the USERNAME field:
Username: ‘ or 1=1 #
Pre-Injection: | Post Injection: |
Huh… a logged in user of ‘ or 1=1 #? Rut Row Shaggy! So what is going on here? Lets look at the code at play:
<php yadda yadda yadda
$query = "select id from users where nick='$username' and password='".md5($MD5_PREFIX.$password)."' and suspended=0";
It says:
Find me the user who’s username and password matches the input (username, plus some MD5 fun on the password) AND whose account is not suspended. How nice.
So what evilHacker did was make that simple query say:
$query = "select id from users where nick=`‘ or 1=1 # and password='".md5($MD5_PREFIX.$password)."' and suspended=0";
Now it says:
Find me the user <no one> or 1=1 (1=1 is a truth statement). In essence you get a select all records that exist in the table users.
Not a very strong front door eh?
Let’s fix
Wouldn’t it be nice if they could just fix it at the code level and be done with it? Well, this one they can (fairly simple escaping of characters). But we all know is reality, most code changes require scrums, waterfalls, validations, testing, and a flood of tears.
In our case, we already have the Virtual server for this website on the LTM/ASM (Virtual Edition 11.1). It’s a few steps to get the ASM in place to defend:
Now:
Pre-Injection: | Post Injection: |
Why the Block?
Now the coolest part, we, as the admins, can see why the block happened.
We go to Application Security –> Reporting –>Requests. Put the Support ID into the filter. It returns the full request, why it was blocked, and the options to learn it as a false positive. |
Pretty cool huh? This is only the tip of the iceberg for what fun we can have with the ASM.
Part of the F5/Owasp Top Ten Series
- swo0sh_gt_13163AltostratusHey Josh, Cool explanation. What exactly ASM doesm when ASM admin clicks on "Learn" if the incident reported is false positive? Will it keep it under staging one more time and once the ERP is over, it will ask you to enforce it? Or it will create an exception for this parameter for a particular signature? Cheers! Darshan
- NdlovummCirrus
Great explanation