Database Reference
In-Depth Information
school kids playing with a freshly downloaded Burp Suite or automated tools
configured by default.Does the restrictive list have comments? Replace them with
%2D
:
http://[victim_site]/[victim_resource_page]/
[resource_operation]?id=2/**/or/**2/**/like/**/2%2D%2D
3. Looking for more complex regular expressions in IDS such as
SELECT
,
UNION
%55%4e%49%4f%4e%20%41%4c%4c
. Go on, add it to the REST query string
with some of your trimmings.
4. Now IDS can identify Hex. Good! Does it check for UnIoNaLl letter case mutila-
tion in Hex? And why should it always be the same encoding type? An attacker
has plenty encodings to play with: UTF7 or UTF8 (here some XML developers
will start getting the idea why declaring encoding in the XML message root is so
important).
5. For the automation of detection evasion, go to
http://phpids.org/
.
Try your own in-
jection strings and see what patterns/IDS regular expression will be triggered for
free!
The last thing to mention is that SQL injection is still the most popular, but don't count on
it alone. The attacker will unleash a complex multivector attacks the injection's support.
One of the possible combinations could be as follows:
• Crash restart your service (buffer overflow) in order to reset the nonce sequen-
cing.
• Detect the IDS type and see which logs it's controlling (Apache, IIS). Then attack
the HTTP servers in order to get to the logs and clean them.
• Detect internal IDS weaknesses including the black lists.
By the way, if you think that SQL injections are possible because someone is concatenat-
ing the SQL string before executing the query, be aware that the SQL procedure injection
is quite possible as well. Prepared statements are more resilient though.
The conclusion is that the attacker has an advantage, not you. Your task is to prepare a
multilayered defense.
XPATH injection
The attack code for XPATH injection is
AT05
.
Search WWH ::
Custom Search