What Are We Going To Learn?
Note: For the exercises, the course directory has changed! It's now https://github.com/SecuringTheStack/tutorials/tree...
Environment Setup/Error Reporting: https://sts.tools/readme
Questions: https://sts.tools/injection-question
Injection Fundamentals: What Is Injection?
Help Me/Important StS Links
- Video: https://securing-the-stack.teachable.com/p/injection-fundamentals-1
- Env Setup: https://sts.tools/setup
- Ask A Question: https://sts.tools/injection-question
- Speak To Human: https://sts.tools/live-support
- Overarching Playlist: https://securing-the-stack.teachable.com/p/injection-playlist
Table Of Contents
Intro
- OWASP Top 10 2017
- Top 10 security threats to web applications
- Injection is #1 risk
- Top 10 security threats to web applications
- Who is this course for?
- Developers who have novice injection/security knowledge
- Prerequisites: None
- At the end of this episode, you’ll be able to
- Understand what injection is
- Understand how execution contexts are linked to injection risks
- Evaluate code to decipher all execution contexts
- Inject a live node.js server within a safe containerized environment
- Offense is the best defense!
- Ready? Come join me in the next lecture!
What Is Injection?
- Webhook functionality within node application
Leveraging
GET
for simplicity
- Injection is introducing data with malicious intent
- This data could include unexpected commands that the program executes
- What malicious data could be injected into
userDefinedUrl
?
Inject The Shell Context (Assignment)
// Assignment: Kill the node process by entering data into `userDefinedUrl`
// Assume that the commands are being executed within a bash shell
var userDefinedUrl = 'example.com/route';
// Allow shell access
var exec = require('child_process').exec;
var curl = exec('curl ' + userDefinedUrl);
curl.stdout.on('data', function(data) {
// Mock response
console.log(data);
});
// Run: "EX_NUM=1 docker-compose up"
// File: "ep9-injection-fundamentals-part-1/src/1/app.js"
// Env Setup/Error Reporting: https://sts.tools/readme
// Questions: https://sts.tools/injection-question
- Hint:
- Think about the execution context that we’re focusing on (i.e., linux shell) and what delimits shell commands
pkill
Inject The Shell Context (Answer)
// Make a PR and contribute your answers here!
// var userDefinedUrl = "example.com/route; pkill node";
var userDefinedUrl = 'example.com/route';
// Allow shell access
var exec = require('child_process').exec;
var curl = exec('curl ' + userDefinedUrl);
curl.stdout.on('data', function(data) {
// Mock response
console.log(data);
});
// Run: "EX_NUM=2 docker-compose up"
// File: "ep9-injection-fundamentals-part-1/src/2/app.js"
// Env Setup/Error Reporting: https://sts.tools/readme
// Questions: https://sts.tools/injection-question
Inject The Shell Context (Takeaways)
- Input is fed into an execution context (e.g., /bin/sh) which has a unique syntax (e.g.,
;
)- If delimiters are allowed, injection can be very easy
- If the input has come from an outside entity, don’t trust it
- Ex: User supplied data that’s coming from a database
What other ways can the shell context be exploited?
Syntactic Injection
- Syntactic Injection
- Exploiting the syntax of a given execution context
Evaluating Execution Contexts
var curl = exec("curl " + userDefinedUrl);
- What execution contexts are being leveraged?
- shell
- curl
- javascript
- Always true
- What execution contexts are being leveraged?
Next Steps
- Additional assignment: Look for file manipulation within a codebase and identify potential injection issues
- Sometimes file manipulations occur within a shell context
- Review video notes for links to
- Other/future episodes
- Additional resources
- Specific to other languages
- Ability to explore more in-depth
- Future episodes will cover additional execution contexts
- Thanks! :D
Error Log
- None so far :)
Additional Resources
- Please submit a PR with any additional resources.
General
Java
Javascript
Ruby
PHP
Python
Knowledge Dependency Tree
- None. This is the first episode
0 comments