Page 1 of 1
What do the bad guys do when attacking via user input?
Posted: Sat Mar 26, 2011 12:28 pm
by bobthebuilder
Or put another way, what do we have to guard against when processing/checking user input?
I am not asking for code here, just general ideas. I have done a few googles on the subject but find it hard separating the wheat from the chaff. Or can anyone provide a link to an update and accurate list?
Thanks in advance.
Re: What do the bad guys do when attacking via user input?
Posted: Sat Mar 26, 2011 12:40 pm
by Weirdan
Common attack vectors are filename manipulation (remote includes or trying to read local files), sql injection and xss.
Re: What do the bad guys do when attacking via user input?
Posted: Sat Mar 26, 2011 3:21 pm
by Mordred
Receiving input, by itself, is not dangerous. It becomes dangerous when you do something with it. How and why depends on the context you use it in. The protection measures depend on that as well. In your mind, you should keep a repository of such possible contexts and countermeasures. Here's a couple of examples, but a full list is of course hard to give.
Context: Output to the HTTP response body:
Most common functions: print(), echo
Vulnerabilities: XSS, defacement
Countermeasures: Writing proper HTML, don't use user input in client-side scripting contexts, in the other cases use htmlspecialchars, with ENT_QUOTES and the correct output encoding.
Context: Dynamic MySQL queries
Most common functions: mysql_query, mysqli_query
Vulnerabilities: SQL injection
Countermeasures: Writing proper SQL, typecast on numeric types, mysql_real_escape_string on the rest. (Check the article in my sig)
The details and tricks on each context are sometimes quite complex, in most cases reading the documentation on the function in question will give you correct advice, but staying current on vulnerabilities is always a good idea. Some of these "contexts" are not easily defined. There are maybe half a dozen ways to cause code execution in PHP, and maybe more in HTML, and if you allow user input in a place where you don't realize might be used to execute code, you may be doing quite serious damage without realizing it.
Re: What do the bad guys do when attacking via user input?
Posted: Sun Mar 27, 2011 2:23 pm
by bobthebuilder
Thanks for the input, it has got me thinking ....
Can I ask for confirmation on these points please.
1) This is very basic, but worth clarifying nevertheless. There is nothing a hacker can achieve by inserting dummy GETs into a URL for example. The GETs (and POSTs) have to be processed by the user's scripts for them to be enacted upon. (If this were not the case I imagine the internet would be useless!)
2) Any time I process a GET or POST or a form, I should consider what data I am expecting to receive at this point and parse it to ensure it fits the expected format. Only if data isin the correct form should I then process it.
Re: What do the bad guys do when attacking via user input?
Posted: Sun Mar 27, 2011 2:53 pm
by Weirdan
bobthebuilder wrote:
1) This is very basic, but worth clarifying nevertheless. There is nothing a hacker can achieve by inserting dummy GETs into a URL for example. The GETs (and POSTs) have to be processed by the user's scripts for them to be enacted upon. (If this were not the case I imagine the internet would be useless!)
Generally yes, unless there's a vulnerability in the web server code or PHP runtime itself.
2) Any time I process a GET or POST or a form, I should consider what data I am expecting to receive at this point and parse it to ensure it fits the expected format. Only if data isin the correct form should I then process it.
You should also encode data into the format safe for a given context - that what was Mordred's post about.
Re: What do the bad guys do when attacking via user input?
Posted: Sun Mar 27, 2011 3:44 pm
by bobthebuilder
You should also encode data into the format safe for a given context - that what was Mordred's post about.
What do you mean by 'encoding'? I take this to be the translation of one data format into another format, but what would be a specific example of encoding in this context? For example is taking a Username (i.e. 'Bob') provided in a GET to generate a welcome statement (i.e. 'Welcome Bob') that is then supplied to the browser the kind of thing you are describing? Thanks in advance.
Re: What do the bad guys do when attacking via user input?
Posted: Sun Mar 27, 2011 4:19 pm
by Mordred
Code: Select all
$html_username = htmlspecialchars($_GET['username'], ENT_QUOTES, "utf-8"); //make it safe for tag-level HTML context
echo "Hello, $html_username";
$mysql_username = mysql_real_escape_string($_GET['username']); //make it safe for insertion into mysql queries
mysql_query("INSERT INTO `log` SET username='$mysql_username', when=NOW()");
Note how the two usage contexts require different escaping mechanisms, and how each of those work on the raw input (not one over the other).