Saturday, 22 September 2012

Breaking the syntax

I recently gave a training at OWASP NZ on test-driven security. One of the key concept I introduced was "Breaking the syntax".

My idea is that way too many people think about vulnerability as a magic pattern:

  • ' or 1=1
  • <script>alert(1);</script>
  • `id`
  • ../../../../../

And that's wrong for many reasons:

  • a pattern can be filtered;
  • a pattern only works in some cases
  • ... it's just wrong.

A better solution, is to think about injection based attacks as breaking the syntax and not just sending a payload and see how things go.

Let's take an example:

<a href="/[USER CONTROLLED]" >test</a>


If you are able to inject a double quote, you can break the syntax:

<a href="/broken " syntax" >test</a>

The HTML syntax is no longer valid, after that, you can find a payload to exploit this issue if needed.

The same things apply to this example:

<a href=/[USER CONTROLLED] >test</a>

However here, you don't even need to inject a quote, a double quote, or > and <, you just need to be able to put a space to break the syntax of the HTML page:

<a href=/broken syntax>test</a>

You may not be able to exploit the bug based on other components, but if you're a developer and want to ensure the security of your application you just need to understand this to test for injection based attacks.

And "breaking the syntax" applies to SQL injections, code execution, commands execution, ...

No comments: