Time
9 hours 31 minutes
Difficulty
Intermediate
CEU/CPE
10

Video Description

This lesson offers participants step by step instructions in how to conduct a JSON injection. A JSON structure produces a table with information showing the query and the tool ID. Using a Java script to send in a request, we get a PHP session ID displayed back. The mitigation for this kind of attack is to have encoding done for JAVA script, this helps to discover if JSON structures are vulnerable to injection.

Video Transcription

00:04
Hello and welcome to the cyber ery secure coding course. My name is Sonny Wear, and this is the AWAS top 10 for 2013. A one injection demo. Jason Injection.
00:19
This is the demo for a one injection. This is Jason Injection.
00:25
Now, Jason actually uses Ajax in order to perform queries a synchronously to the back end
00:33
without the server having to do a refreshed Let's go ahead and take a look at this page as it normally runs.
00:42
We're here to select some sort of pin test tool from a drop down, so we'll go ahead and do that and just see how it normally works.
00:52
What we can see here is that we have a resulting table
00:58
and that table is being populated with information
01:03
that basically is coming back to us from a J saw on structure.
01:07
Now let's go ahead and start our burb Sweet.
01:14
Put our interceptor on
01:18
and send the same request again. Now you'll notice that burp sweet immediately starts blinking. And there was no refresh
01:26
because that's how Ajax works.
01:30
All that we have is a tool I d that gets sent to the back end in order to queria database.
01:38
So if we go ahead and forward this to see our response,
01:45
what we get back is the J song structure.
01:49
So this
01:52
this basically corresponds to what we're seeing on
01:57
in that table. So we have the query. The the tool I D requested is a one.
02:06
The tool I D. Is one. The tool name is Web security,
02:12
and there's, Ah, scanner and a comment, etcetera. And
02:17
we go back to the Web page and we look at that table, we can see that
02:23
that information corresponds.
02:27
So now the question is, does this particular page have a vulnerability? And the way that this is usually done is by trying to insert some sort of special
02:39
canary value or some sort of signal that lets a pen tester, no or less an attacker know that a page might be susceptible to an injection attack.
02:52
Now how we conduce, that is we've got our burb sweet interceptor on.
02:57
Let's go ahead and send this again.
03:01
And this time before we get the response back,
03:06
let's go ahead and put our canary value there.
03:10
So I'm just gonna put the word canary.
03:19
Now when I get the response back What's interesting is everywhere where I see my word canary
03:25
means that I am able to actually inject something. In this case, it's actually reflecting back to me. So
03:35
not only can I do an injection attack, but this is also a reflected cross ex scripting attack,
03:43
which we'll talk about in in the cross eyed scripting section.
03:47
But that means that I can basically manipulate the value that is stored in the variable tool I d requested.
03:58
So since we know that we can inject
04:01
some sort of commands and that that will actually be reflected back,
04:09
let's go ahead and do a J. Sohn
04:13
injection where we actually display the cookie back that is currently being used. So in order to to properly do this, we could create some
04:28
JavaScript, which I've created ahead of time to match the Jason structure.
04:34
And here you can see a close up of that JavaScript. So we have to actually end the Jason structure, that query that we saw
04:46
immediately after our
04:48
vulnerable variable name, and then we end that command. Then we can begin the alert, which is going to actually display the current cookie that's being used by
05:03
by this particular user
05:05
and then we end that command with Semi Colon and then we used to Slash is at the end. This is to basically note that the rest of the information is going to be a comment.
05:21
So let's go ahead and run this.
05:25
We'll take that job script as it's been,
05:29
you are all encoded.
05:32
Turn on our proxy.
05:39
Send in a request
05:44
paste are
05:46
you're ill encoded JavaScript attack
05:55
and we forward that
05:56
and hopefully
06:00
yes,
06:01
we actually get
06:03
R p H P session I d displayed back to us. So our attack worked.
06:11
Now the mitigation for this type of attack is to have in coding done for javascript. So any time you have
06:23
Jason structures, you need to first of all, ensure that they are not vulnerable to injection.
06:32
And so you're going to have your input validation on your server side as well as your output in coding. And in this case, you're going to encode for JavaScript.
06:44
And that is definitely a method that's made available through awas html sanitizer or other frameworks.

Up Next

Secure Coding

In the Secure Coding training course, Sunny Wear will show you how secure coding is important when it comes to lowering risk and vulnerabilities. Learn about XSS, Direct Object Reference, Data Exposure, Buffer Overflows, & Resource Management.

Instructed By

Instructor Profile Image
Sunny Wear
Instructor