Software Vulnerabilities and Defensive Coding

Questions and Answers

What is the main issue with the following PHP code that handles a login form? $username = $_POST['username']; $password = $_POST['password']; $query="SELECT * FROM users WHERE username = '$username' AND password='$password'"; $result = mysqli_query($conn, $query);

• The code does not connect to the database correctly.
• The code does not handle empty input fields.
• The code uses an outdated version of PHP.
• The code is vulnerable to SQL injection because it directly concatenates user inputs into the SQL query. (correct)

Which of the following inputs could lead to a successful SQL injection attack against the vulnerable code below? $search = $_GET['search']; $query = "SELECT * FROM products WHERE name LIKE '%$search%'"; $result = mysqli_query($conn, $query);

• apple
• '; DROP TABLE products; #
• 100 OR 1=1
• All of the above (correct)

What is wrong with the following PHP code, and how can it be mitigated? $id = $_GET['id']; $new_email = $_POST['email']; $query = "UPDATE users SET email = '$new_email' WHERE id = $id"; mysqli_query($conn, $query);

• The code will fail because of incorrect SQL syntax.
• The code is vulnerable to SQL injection because it directly includes user inputs in the query. Use parameterized queries to fix it. (correct)
• The code is secure as it is.
• The query should use double quotes instead of single quotes for variables.

What type of injection involves an attacker injecting code in the programming or scripting language used by the application?

Code Injection

Which of the following PHP functions are particularly vulnerable to code injection?

All the above (C)

What is the primary reason to avoid using preg_replace('/e') in PHP?

It allows the evaluation of PHP code from user input, leading to code injection vulnerabilities. (D)

How can you prevent code injection when using the include() function with user inputs?

Validate that $page only includes safe characters and paths, and restrict it to known filenames. (C)

Which of the following inputs could lead to a successful code injection attack against the vulnerable PHP code below? $command = $_GET['command']; eval($command);

All of the above (D)

What type of injection allows an attacker to execute arbitrary system commands on the host OS via the vulnerable application?

Command Injection

Which of the following inputs would be dangerous if passed to the following PHP code? $filename = $_GET['filename']; shell_exec("rm " . $filename);

All of the above (D)

What is the primary risk associated with the following PHP code?$userInput = $_GET['file']; system("cat " . $userInput);

The code is vulnerable to command injection because user input is directly appended to a shell command. (C)

Which PHP function is MOST susceptible to command injection attacks?

exec() (D)

What can be a dangerous consequence of using the exec() function in PHP without proper input validation?

The code could execute arbitrary system commands, allowing an attacker to control the server. (C)

How can you mitigate command injection vulnerabilities when using functions like system(), exec(), or shell_exec() in PHP?

Restrict input to a whitelist of allowed commands and use escapeshellarg() or escapeshellcmd(). (D)

Flashcards

Code Injection

When an attacker injects malicious code into an application, using the programming language of that application.

eval()

A PHP function that evaluates a string as PHP code.

include() / require()

PHP functions used to include and execute external files. Attackers can exploit path manipulation.

preg_replace()

A function that performs a regular expression search and replace. The /e modifier can execute code.

assert()

A function that evaluates a string as PHP code if the condition is false. Used mainly for debugging but opens security holes.

Sanitize Inputs

Convert the data into a safe form.

Input Whitelisting

Use a known list of accepted inputs.

preg_replace_callback()

A safer alternative, processes matches using a callback function, avoiding direct code execution.

htmlspecialchars()

Escapes or encodes user inputs.

Command Injection

When an attacker runs OS commands via a vulnerable application.

exec()

PHP function that executes an external program.

system()

PHP function similar to exec(), but also captures the output.

shell_exec()

Runs a command via shell and returns the complete output as a string.

passthru()

PHP function that executes a command and outputs raw data directly to the browser.

popen()/proc_open()

Functions that open a process for execution.

Backticks ``

PHP way to execute shell commands using backticks.

escapeshellarg()

Removes any character that might be used to trick a shell command.

escapeshellcmd()

Escape shell metacharacters.

Input Validation

Validates that it is in the correct format.

PHP Built-in Functions

Uses PHP to do work instead of executing the system command.

Cross-Site Scripting (XSS)

A form of code injection where the attacker injects malicious scripts into websites.

Non-Persistent (Reflected) XSS

Input is immediately returned in an error or search result.

Persistent (Stored) XSS

Malicious code that is stored in the server.

DOM-Based XSS

Occurs due to vulnerabilities in client-side JavaScript code.

Cross-Site Request Forgery (CSRF)

The application doesn't verify if the request came from a legitimate user.

Insecure Direct Object References

Attackers manipulate direct references to internal implementation objects.

Security Misconfiguration

Security features are not correctly configured.

File Attacks

Vulnerabilities related to file uploading.

Side Channel Attacks

Gaining information by analyzing execution time.

Common Software Vulnerabilities

Buffer Overflow, Injection Flaws, Broken Authentication, XSS, CSRF, Security Misconfiguration.

Study Notes

Common Software Vulnerabilities and Controls

• Common software vulnerabilities include:
  • Buffer, Stack, and Heap Overflows
  • Injection Flaws
  • Broken Authentication and Session Management
  • Cross-Site Scripting (XSS)
  • Non-Persistent or Reflected XSS
  • Persistent or Stored XSS
  • DOM based XSS
  • Cross-Site Request Forgery (CSRF)
  • Insecure Direct Object References
  • Security Misconfiguration
  • File Attacks
  • Side Channel Attacks

Defensive Coding Practices

• Defensive coding practices include:
  • Input Validation
  • Canonicalization
  • Sanitization
  • Error Handling
  • Safe APIs
  • Memory Management
  • Exception Management
  • Session Management
  • Configuration Parameters Management
  • Secure Startup
  • Cryptography
  • Concurrency
  • Tokenization
  • Sandboxing
  • Anti-Tampering

SQL Injection Vulnerability Example

• PHP code directly concatenates user inputs which makes the SQL query vulnerable to injection.

SQL Injection Attack Types

• The following inputs lead to a successful SQL injection attack against vulnerable code:
  • ' ; DROP TABLE products; #
  • 100 OR 1=1
  • apple

SQL Injection Mitigation

• PHP code can be fixed by using parameterized queries to avoid direct insertion of user inputs.

Code Injection Definition

• Code injection involves the attacker injecting code in the programming or scripting language used by the application
• Languages commonly injected into are PHP, Python, or JavaScript.

Vulnerable PHP Functions

• PHP functions that are particularly vulnerable to code injection:
  • eval()
  • include()
  • require()
  • include_once()
  • require_once()
  • preg_replace()
  • assert()

Code Injection Functions

• eval(): Evaluates a string as PHP code and is rarely needed.
• include(), require(), include_once(), require_once(): Used to include and execute files.
• preg_replace(): Used for regular expression search and replace, evaluates the replacement as PHP code if used with the /e modifier.
• assert(): Evaluates a string as PHP code if a condition is false, used for debugging.

Code Injection Prevention Methods

• Avoid using dangerous PHP functions like eval(), assert(), and preg_replace() with the /e modifier.
• Employ safe methods for dynamic content.
• Avoid the /e modifier in preg_replace(). Use preg_replace_callback() instead.

Code Injection Prevention Techniques

• htmlspecialchars() should be used to avoid code injections
• preg_replace_callback() should be used instead of preg_replace()
• It is best to avoid using preg_replace('/e')

Code Injection Via Directory Traversal

• Attackers use directory traversal (../../) to access a different directory
• This method allows them to upload a file containing harmful PHP code to the server.

Code Injection Prevention Strategy

• Use whitelisting over blacklisting.
• Sanitize and validate inputs

Code Injection Questions

• The primary reason to avoid using preg_replace('/e') in PHP is it allows evaluation of PHP code from user input, leading to code injection vulnerabilities.
• Code injection using the include() function can be prevented by validating that the function only includes safe characters and paths, and restrict it to known filenames.

Command Injection Definition

• Command injection involves the attacker executing arbitrary system commands on the host OS via the vulnerable application
• Often system shell commands are called

Functions Vulnerable to Command Injection in PHP

• Vulnerable functions include:
  • exec()
  • system()
  • shell_exec()
  • passthru()
  • popen()
  • proc_open()
  • backticks `` `

Command Injection Vulnerability Example

• Using shell_exec() along with the grep command, an attacker injected cat /etc/passwd command to view sensitive system files.
• Improper handling of user input in an application that performs network diagnostics allows attackers to inject OS commands.

Command Injection Prevention

• Always validate and sanitize inputs using functions like escapeshellarg() and escapeshellcmd().
• Avoid using user input directly in commands
• Apply proper input checks
• Use safer alternatives such as PHP functions.
• Minimize privileges in running commands.

Command Injection Prevention With PHP Built-In Functions

• Use scandir() or glob() instead of ls for directory listings
• Use unlink() instead of rm for file deletion
• Use copy(), rename(), and move_uploaded_file() instead of cp or mv for file operations
• Employ file_put_contents(), file_get_contents(), and fopen() instead of cat or echo for reading and writing files
• To check server connectivity employ PHP functions like:
  • fsockopen()
  • stream_socket_client()
  • cURL instead of system("ping $host")

Harmful PHP Code in Command Injections

• Passing the following inputs in PHP code would be dangerous in command injections:
  • ; rm -rf /

Command Injection Attacks

• The most susceptible PHP function to command injection attacks is exec()

Command Injections Risks

• A dangerous consequence of using the exec() function in PHP without proper input validation is an attacker could control the server.

Command Injection Mitigation Tips

• Mitigate command injection vulnerabilities by restricting input to a whitelist of allowed commands and using escapeshellarg() or escapeshellcmd().

Description

Explore common software vulnerabilities like XSS and SQL injection. Learn defensive coding practices including input validation and secure APIs to mitigate risks. Understand techniques for secure software development.