What Are We Going To Learn?

Note: For the exercises, the course directory has changed! It's now https://github.com/SecuringTheStack/tutorials/tree...

Environment Setup/Error Reporting: https://sts.tools/readme

Questions: https://sts.tools/injection-question

Injection Fundamentals: What Is Injection?

Table Of Contents

Intro

  • OWASP Top 10 2017
    • Top 10 security threats to web applications
      • Injection is #1 risk
  • Who is this course for?
    • Developers who have novice injection/security knowledge
  • Prerequisites: None
  • At the end of this episode, you’ll be able to
    1. Understand what injection is
    2. Understand how execution contexts are linked to injection risks
    3. Evaluate code to decipher all execution contexts
    4. Inject a live node.js server within a safe containerized environment
      • Offense is the best defense!
  • Ready? Come join me in the next lecture!

What Is Injection?

Inject The Shell Context (Assignment)

  • Hint:
    1. Think about the execution context that we’re focusing on (i.e., linux shell) and what delimits shell commands
    2. pkill

Inject The Shell Context (Answer)

Inject The Shell Context (Takeaways)

  • Input is fed into an execution context (e.g., /bin/sh) which has a unique syntax (e.g., ;)
    • If delimiters are allowed, injection can be very easy
  • If the input has come from an outside entity, don’t trust it
    • Ex: User supplied data that’s coming from a database
  • What other ways can the shell context be exploited?

Syntactic Injection

  • Syntactic Injection
    • Exploiting the syntax of a given execution context

Evaluating Execution Contexts

  • var curl = exec("curl " + userDefinedUrl);
    • What execution contexts are being leveraged?
      1. shell
      2. curl
      3. javascript
        1. Always true

Next Steps

  • Additional assignment: Look for file manipulation within a codebase and identify potential injection issues
    • Sometimes file manipulations occur within a shell context
  • Review video notes for links to
    • Other/future episodes
    • Additional resources
      • Specific to other languages
      • Ability to explore more in-depth
  • Future episodes will cover additional execution contexts
  • Thanks! :D

Error Log

  • None so far :)

Additional Resources

  • Please submit a PR with any additional resources.

General

Java

Javascript

Ruby

PHP

Python

Knowledge Dependency Tree

  • None. This is the first episode
Complete and Continue  
Discussion

0 comments