Hello and welcome to the cyber ery secure coding course. My name is Sonny Wear, and this is the AWAS top 10 for 2013. A one injection demo. Jason Injection.
This is the demo for a one injection. This is Jason Injection.
Now, Jason actually uses Ajax in order to perform queries a synchronously to the back end
without the server having to do a refreshed Let's go ahead and take a look at this page as it normally runs.
We're here to select some sort of pin test tool from a drop down, so we'll go ahead and do that and just see how it normally works.
What we can see here is that we have a resulting table
and that table is being populated with information
that basically is coming back to us from a J saw on structure.
Now let's go ahead and start our burb Sweet.
Put our interceptor on
and send the same request again. Now you'll notice that burp sweet immediately starts blinking. And there was no refresh
because that's how Ajax works.
All that we have is a tool I d that gets sent to the back end in order to queria database.
So if we go ahead and forward this to see our response,
what we get back is the J song structure.
this basically corresponds to what we're seeing on
in that table. So we have the query. The the tool I D requested is a one.
The tool I D. Is one. The tool name is Web security,
and there's, Ah, scanner and a comment, etcetera. And
we go back to the Web page and we look at that table, we can see that
that information corresponds.
So now the question is, does this particular page have a vulnerability? And the way that this is usually done is by trying to insert some sort of special
canary value or some sort of signal that lets a pen tester, no or less an attacker know that a page might be susceptible to an injection attack.
Now how we conduce, that is we've got our burb sweet interceptor on.
Let's go ahead and send this again.
And this time before we get the response back,
let's go ahead and put our canary value there.
So I'm just gonna put the word canary.
Now when I get the response back What's interesting is everywhere where I see my word canary
means that I am able to actually inject something. In this case, it's actually reflecting back to me. So
not only can I do an injection attack, but this is also a reflected cross ex scripting attack,
which we'll talk about in in the cross eyed scripting section.
But that means that I can basically manipulate the value that is stored in the variable tool I d requested.
So since we know that we can inject
some sort of commands and that that will actually be reflected back,
let's go ahead and do a J. Sohn
injection where we actually display the cookie back that is currently being used. So in order to to properly do this, we could create some
immediately after our
vulnerable variable name, and then we end that command. Then we can begin the alert, which is going to actually display the current cookie that's being used by
by this particular user
and then we end that command with Semi Colon and then we used to Slash is at the end. This is to basically note that the rest of the information is going to be a comment.
So let's go ahead and run this.
We'll take that job script as it's been,
you are all encoded.
R p H P session I d displayed back to us. So our attack worked.
Jason structures, you need to first of all, ensure that they are not vulnerable to injection.
And that is definitely a method that's made available through awas html sanitizer or other frameworks.