Questions about this topic? Sign up to ask in the talk tab.

Difference between revisions of "Unsanitized input split"

From NetSec
Jump to: navigation, search
(Created page with " Unsanitized input split If input is being split and parsed based on an expected number of delimiters, it is trivial for an attacker to input an extra delimiter and, d...")
 
 
Line 1: Line 1:
    Unsanitized input split
+
If input is being split and parsed based on an expected number of delimiters, it is trivial for an attacker to input an extra delimiter and, depending on the severity of the issue, execute code or engage in other mayhem.
        If input is being split and parsed based on an expected number of delimiters, it is trivial for an attacker to input an extra delimiter and, depending on the severity of the issue, execute code or engage in other mayhem.
+
 
          
 
          
    Proof of concept:
+
=Proof of concept=
  * PHP:
+
* [[PHP]]
    <?php
+
 
      $username = $argv[1];
+
{{code|text=<source lang="php">
      if ($username == "admin") {
+
<?php
        $username = $username . ":1";
+
  $username = $argv[1];
      } else {
+
  if ($username == "admin") {
        $username = $username . ":0";
+
    $username = $username . ":1";
    }
+
  } else {
    $username = split(":", $username);
+
    $username = $username . ":0";
    if($username[1] == "1") {
+
  }
      echo "Is an admin\n";
+
  $username = split(":", $username);
    } else {
+
  if($username[1] == "1") {
      echo "Not an admin\n";
+
    echo "Is an admin\n";
    }
+
  } else {
    ?>
+
    echo "Not an admin\n";
    Mitigation:
+
  }
 +
?>
 +
</source>}}
 +
 
 +
=Mitigation=
 
      
 
      
    In order to mitigate this attack, sanitize input before splitting. Be certain that there are no malicious delimeters. For example:
+
In order to mitigate this attack, sanitize input before splitting. Be certain that there are no malicious delimeters. For example:
 
      
 
      
  * PHP:
+
* [[PHP]]
    <?php
+
{{code|text=<source lang="php">
      $username = str_replace(":", "", $argv[1]);
+
<?php
      if ($username == "admin") {
+
  $username = str_replace(":", "", $argv[1]);
        $username = $username . ":1";
+
  if ($username == "admin") {
      } else {
+
    $username = $username . ":1";
        $username = $username . ":0";
+
  } else {
    }
+
    $username = $username . ":0";
    $username = split(":", $username);
+
  }
    if($username[1] == "1") {
+
  $username = split(":", $username);
      echo "Is an admin\n";
+
  if($username[1] == "1") {
    } else {
+
    echo "Is an admin\n";
      echo "Not an admin\n";
+
  } else {
    }
+
    echo "Not an admin\n";
    ?>
+
  }
 +
?>
 +
</source>}}
 
      
 
      
    Auditing:
+
=Auditing=
 
      
 
      
 
[[Category:Secure programming]]
 
[[Category:Secure programming]]

Latest revision as of 01:59, 12 May 2013

If input is being split and parsed based on an expected number of delimiters, it is trivial for an attacker to input an extra delimiter and, depending on the severity of the issue, execute code or engage in other mayhem.

Proof of concept

 
<?php
  $username = $argv[1];
  if ($username == "admin") {
    $username = $username . ":1";
  } else {
    $username = $username . ":0";
  }
  $username = split(":", $username);
  if($username[1] == "1") {
    echo "Is an admin\n";
  } else {
    echo "Not an admin\n";
  }
?>
 

Mitigation

In order to mitigate this attack, sanitize input before splitting. Be certain that there are no malicious delimeters. For example:

 
<?php
  $username = str_replace(":", "", $argv[1]);
  if ($username == "admin") {
    $username = $username . ":1";
  } else {
    $username = $username . ":0";
  }
  $username = split(":", $username);
  if($username[1] == "1") {
    echo "Is an admin\n";
  } else {
    echo "Not an admin\n";
  }
?>
 

Auditing