WebApp Sec mailing list archives
RE: New Whitepaper - "Second-order Code Injection Attacks"
From: "Gunter Ollmann (NGS)" <gunter () ngssoftware com>
Date: Tue, 2 Nov 2004 22:28:48 -0000
Jeff, I see XSS as merely a subgroup of code injection attacks - and it is important to make that distinction. While they (as in XSS) still get a lot of press coverage, they're not particularly remarkable. The most effective attacks abusing XSS vulnerabilities to date would probably be within Phishing attacks - thankfully something that the press havn't focused upon. The OWASP categories of "stored" or "reflected", while good for a basic understanding, are a little too limited in scope to cover all XSS vulnerabilities. They are certainly inadequate for covering much of the code injection possibilities. Having said all that, it still suprises me how many people think that by testing for <script>alert('XSS')</script> - getting a positive response - means that an application is 100% vulnerable to XSS. People need to be a lot clearer about the types of code injection flaws a web-based application is vulnerable to -- instead of using a Cross-site Scripting catchall tag. Cheers, Gunter
-----Original Message----- From: Jeff Williams [mailto:jeff.williams () aspectsecurity com] Sent: 02 November 2004 20:44 To: Crispin Cowan; Gunter Ollmann Cc: bugtraq () securityfocus com; webappsec () securityfocus com Subject: Re: New Whitepaper - "Second-order Code Injection Attacks" Gunter, Thanks for the comprehensive treatment of this class of vulnerabilities. The OWASP Top Ten paper breaks down XSS flaws into "stored" and "reflected" categories, but your paper is far closer to a complete theory about all the ways that tainted data can undermine the security of applications. --Jeff ----- Original Message ----- From: "Crispin Cowan" <crispin () immunix com> To: "Gunter Ollmann" <gunter () ngssoftware com> Cc: <bugtraq () securityfocus com> Sent: Monday, November 01, 2004 8:45 PM Subject: Re: New Whitepaper - "Second-order Code Injection Attacks"I found an instance of this class of vulnerability in 1998 where an attacker could inject code into the "locate" database,which would laterbe executed when root tried to do a locate on some path name http://msgs.securepoint.com/cgi-bin/get/bugtraq/601/1.html Mine was not the first such"secondary code injection"attack. It was aconsequence of exploring a PoC by MiG for a buffer overflow vulnerability in bash, where in a tall directory tree would overflow bash when you try to cd into that directory and you havethe pwd set tobe part of your prompt. At the time, it did not occur to methat it wasa special kind of buffer overflow. Crispin Gunter Ollmann wrote:Hi list, NGS Software is pleased to make available a new whitepaper about second-order code injection attacks. Abstract: "Many forms of code injection targeted at web-basedapplications (forinstance cross-site scripting and SQL injection) rely upon theinstantaneousexecution of the embedded code to carry out the attack(e.g. stealing auser's current session information or executing a modifiedSQL query). Insome cases it may be possible for an attacker to injecttheir malicious codeinto a data storage area that may be executed at a laterdate or time.Depending upon the nature of the application and the waythe malicious datais stored or rendered, the attacker may be able to conducta second-ordercode injection attack. A second-order code injection attack can be classified asthe process inwhich malicious code is injected into a web-basedapplication and notimmediately executed, but instead is stored by theapplication (e.g.temporarily cached, logged, stored in a database) and then laterretrieved,rendered and executed by the victim." The paper can be accessed from: http://www.nextgenss.com/papers/SecondOrderCodeInjection.pdf Cheers, Gunter ------------------------------------------------------ G u n t e r O l l m a n n, MSc(Hons), BSc Professional Services Director Next Generation Security Software Ltd. First Floor, 52 Throwley Way Tel: +44 (0)208 401 0089 Sutton, Surrey, SM1 4BF, UK Fax: +44 (0)208 401 0076 http://www.nextgenss.com -------------------------------------------------------- Crispin Cowan, Ph.D. http://immunix.com/~crispin/ CTO, Immunix http://immunix.com
Current thread:
- Re: New Whitepaper - "Second-order Code Injection Attacks" Jeff Williams (Nov 05)
- RE: New Whitepaper - "Second-order Code Injection Attacks" Gunter Ollmann (NGS) (Nov 05)
- <Possible follow-ups>
- Re: New Whitepaper - "Second-order Code Injection Attacks" Jan P. Monsch (Nov 11)
- Re: New Whitepaper - "Second-order Code Injection Attacks" Gunter Ollmann (Nov 11)
- Re: New Whitepaper - "Second-order Code Injection Attacks" Rogan Dawes (Nov 12)
- RE: New Whitepaper - "Second-order Code Injection Attacks" Mark Curphey (Nov 14)
- Re: New Whitepaper - "Second-order Code Injection Attacks" Stephen de Vries (Nov 20)
- Re: New Whitepaper - "Second-order Code Injection Attacks" Gunter Ollmann (Nov 11)