10 Фев, 2023

Improper Input Validation

Vulnerability Assessment as a Service (VAaaS)

Tests systems and applications for vulnerabilities to address weaknesses.

Improper input validation is a security vulnerability that occurs when an application does not properly validate or sanitize input data before processing it. This vulnerability can allow an attacker to inject malicious input into the application, which can be used to compromise the system or steal sensitive information. Improper input validation is a critical security issue that affects a wide range of applications, including web applications, desktop applications, and mobile apps.

One of the main reasons for improper input validation is the failure of developers to properly validate and sanitize input data. This can result in a lack of proper input validation checks, allowing malicious actors to inject malicious input into the system.

Пример уязвимого кода на разных языках программирования:

в C:

				
					#include <stdio.h>
#include <string.h>

void vulnerable_function(char* input) {
  char buffer[100];
  strcpy(buffer, input);
  printf("%s\n", buffer);
}

int main(int argc, char** argv) {
  vulnerable_function(argv[1]);
  return 0;
}
				
			

 

This C code defines a vulnerable_function that takes a string input as an argument and copies it into a fixed-size buffer buffer using the strcpy функция. В strcpy function does not check the size of the destination buffer, so if the input string is longer than 100 characters, it will overwrite adjacent memory, potentially leading to a buffer overflow vulnerability.

В main function then calls vulnerable_function с argv[1], which is the second command-line argument passed to the program. This means that an attacker can supply a string of arbitrary length as input, potentially causing a buffer overflow.


в Java:

				
					import java.io.*;

public class Main {
  public static void vulnerableMethod(String input) {
    String fileName = input;
    try {
      FileReader fileReader = new FileReader(fileName);
      BufferedReader bufferedReader = new BufferedReader(fileReader);
      while (bufferedReader.ready()) {
        System.out.println(bufferedReader.readLine());
      }
    } catch (Exception e) {
      e.printStackTrace();
    }
  }
  
  public static void main(String[] args) {
    vulnerableMethod(args[0]);
  }
}
				
			


This Java code defines a vulnerableMethod that takes a string input as an argument and opens the file with that name using a FileReader object. If the file exists and is readable, the contents of the file are printed to the standard output. This code is vulnerable because it does not perform any input validation, allowing an attacker to pass in a file name that they don’t have access to, or a filename that points to a sensitive file, such as /etc/passwd.


в Python:

				
					import os

def vulnerable_function(input):
  filename = input
  os.system("cat " + filename)

if __name__ == "__main__":
  import sys
  vulnerable_function(sys.argv[1])
				
			


This Python code defines a vulnerable_function that takes a string input as an argument and concatenates it with the string "cat " to form a shell command. The resulting command is executed using the os.system function, which allows an attacker to pass in a malicious string that could execute arbitrary code. For example, an attacker could pass in the string "; rm -rf /; #", which would cause the program to execute the commands cat ; rm -rf /; #.

Examples of exploitation for Improper Input Validation

SQL-инъекция: An attacker can inject malicious SQL code into an application that is not properly validating user-supplied input. This can result in unauthorized access to sensitive information stored in a database, or even full control over the database.

Межсайтовый скриптинг (XSS): An attacker can inject malicious script into an application that is not properly validating user-supplied input. This can result in the attacker stealing sensitive information such as user login credentials or compromising the user’s browser.

Command Injection: An attacker can inject malicious commands into an application that is not properly validating user-supplied input

Переполнение буфера: An attacker can provide input that exceeds the maximum length expected by the application, causing it to overflow its buffer and potentially execute arbitrary code.

Обход каталога: An attacker can supply directory traversal characters such as “../” in user-supplied input to access files and directories outside of the intended scope.

Удаленное выполнение кода: An attacker can supply malicious code in user-supplied input, which is then executed by the application, allowing the attacker to take control of the application or execute arbitrary code on the underlying system.

Format String Attack: An attacker can supply format string specifiers in user-supplied input, causing the application to output sensitive information or crash.

Методы повышения привилегий для Improper Input Validation

  • Обход авторизации: An attacker can provide input that is not properly validated by the application, allowing the attacker to bypass authorization checks and gain access to restricted resources.

  • Escalation of Privileges: An attacker can manipulate user-supplied input in such a way that the application executes code with elevated privileges, allowing the attacker to take control of the system or perform actions they wouldn’t normally be able to.

  • Загрузка произвольного файла: An attacker can upload a malicious file to a vulnerable application that does not properly validate user-supplied input, allowing the attacker to execute arbitrary code on the system or compromise sensitive data.

  • Перехват DLL: An attacker can upload a malicious DLL to a vulnerable application that does not properly validate user-supplied input, allowing the attacker to execute arbitrary code with the same privileges as the application.

  • Пересечение пути: An attacker can manipulate user-supplied input to access files and directories outside of the intended scope, potentially leading to the exposure of sensitive information or the ability to execute arbitrary code.

  • Injection Flaws: An attacker can inject malicious code into an application through user-supplied input that is not properly validated, potentially leading to the execution of arbitrary code or the compromise of sensitive information.

  • Неограниченная загрузка файлов: An attacker can upload a malicious file to a vulnerable application that does not properly validate user-supplied input, potentially leading to the execution of arbitrary code or the compromise of sensitive information.

  • Improper Session Management: An attacker can manipulate user-supplied input to hijack an active session, potentially leading to the exposure of sensitive information or the ability to perform actions as another user.

Methodology and checklist on testing for Improper Input Validation

Методология:

  1. Information Gathering: Gather information about the target application and its inputs, such as form fields, URLs, and APIs.

  2. Input Validation Testing: Test each input for proper validation, including testing for:

    Input sanitization
    Input filtering
    Input encoding
    Length checking
    Type checking

  3. Exploitation: Attempt to exploit any identified vulnerabilities through techniques such as:

    Buffer overflows
    SQL-инъекция
    Межсайтовый скриптинг (XSS)
    Обход каталога
    Remote code execution

Контрольный список:

  1. Check for proper input validation and sanitization on all inputs, including form fields, URLs, and APIs.

  2. Verify that the application is properly encoding user-supplied input to prevent cross-site scripting (XSS) and other injection attacks.

  3. Test for proper input length checking to prevent buffer overflows and other memory-related attacks.

  4. Verify that the application is properly filtering user-supplied input to prevent directory traversal and other file-related attacks.

  5. Test for proper type checking to prevent the execution of arbitrary code and other code-related attacks.

  6. Attempt to exploit any identified vulnerabilities to confirm the presence of improper input validation.

  7. Review code and logs for any signs of improper input validation or exploitation attempts.

  8. Report any findings to the development team for remediation.

This methodology and checklist provide a general overview of the process of testing for improper input validation. However, it’s important to note that the specifics of the testing process can vary greatly depending on the target application and its inputs.

Tools for exploiting Improper Input Validation

Ручные Инструменты:

  • Burp Suite: A web application security testing tool that includes a suite of tools for performing various security testing tasks, including exploiting improper input validation.

  • OWASP ZAP: An open-source web application security testing tool that includes a number of tools for finding and exploiting security vulnerabilities, including improper input validation.

  • sqlmap: An open-source tool for automating the detection and exploitation of SQL injection vulnerabilities.

  • Nmap: An open-source network mapping and security tool that can be used to test for improper input validation in web applications and other network-based services.

  • Metasploit: An open-source penetration testing framework that includes a number of tools for finding and exploiting security vulnerabilities, including improper input validation.

  • Wireshark: A network protocol analyzer that can be used to examine network traffic for signs of improper input validation or other security vulnerabilities.

  • Telnet: A simple command-line tool for connecting to remote servers and testing for improper input validation and other security vulnerabilities.

  • Netcat: A simple command-line tool for reading and writing data across network connections, which can be used to test for improper input validation in network-based services.

Автоматизированные инструменты:

  • Acunetix: A web vulnerability scanner that automates the process of identifying and exploiting improper input validation vulnerabilities in web applications.

  • Nessus: A vulnerability scanner that includes a number of tools for identifying and exploiting security vulnerabilities, including improper input validation.

  • Qualys: A cloud-based vulnerability scanner that automates the process of identifying and exploiting improper input validation vulnerabilities in web applications and other network-based services.

  • OpenVAS: An open-source vulnerability scanner that includes a number of tools for identifying and exploiting security vulnerabilities, including improper input validation.

  • AppScan: An application security testing tool that automates the process of identifying and exploiting improper input validation vulnerabilities in web applications.

  • WebInspect: An application security testing tool that includes a number of tools for identifying and exploiting improper input validation vulnerabilities in web applications.

  • IBM App Security Scanner: An application security testing tool developed by IBM that automates the process of identifying and exploiting improper input validation vulnerabilities in web applications.

Плагины для браузера:

  • OWASP ZAP Proxy: A browser plugin for the OWASP ZAP web application security testing tool that allows users to test for and exploit improper input validation vulnerabilities in web applications.

  • Burp Suite Extension: A browser plugin for the Burp Suite web application security testing tool that allows users to test for and exploit improper input validation vulnerabilities in web applications.

  • NoScript: A browser plugin for Mozilla Firefox that allows users to block scripts and other active content, which can help prevent improper input validation vulnerabilities in web applications.

Avarage CVSS score Improper Input Validation

The average CVSS (Common Vulnerability Scoring System) score for Improper Input Validation can vary depending on the specific vulnerability and its severity. Improper Input Validation is a broad category of vulnerability that can range from low-severity issues, such as minor information leaks, to high-severity issues, such as remote code execution.

According to the CVSS v3.1 scoring system, the average CVSS base score for Improper Input Validation vulnerabilities can range from 4.0 to 7.5, depending on the specifics of the vulnerability. A score of 4.0 indicates a low-severity vulnerability, while a score of 7.5 indicates a high-severity vulnerability.

It’s worth noting that the actual CVSS score for a particular vulnerability will depend on a number of factors, including the specifics of the vulnerability, the affected software and systems, and the potential impact of the vulnerability. As such, it’s not possible to provide a single, definitive CVSS score for Improper Input Validation.

CWE information about Improper Input Validation

Here are the top 10 Common Weakness Enumeration (CWE) entries related to Improper Input Validation, ranked in order of prevalence:

CWE-20: Improper Input Validation – This CWE entry covers a wide range of weaknesses that result from improper input validation, including buffer overflows, command injection attacks, cross-site scripting (XSS) attacks, and more.

CWE-79: Cross-Site Scripting (XSS) – XSS is a type of web application vulnerability that allows attackers to inject malicious code into a web page that is viewed by other users. This can be used to steal sensitive information, hijack user sessions, and carry out other malicious activities.

CWE-94: Improper Control of Generation of Code (‘Code Injection’) – This CWE entry covers a range of code injection vulnerabilities, such as SQL injection attacks and command injection attacks, where attackers can inject malicious code into the software system that is executed as part of normal system operations.

CWE-116: Improper Encoding or Escaping of Output – This CWE entry covers weaknesses related to improper encoding or escaping of output, such as XSS vulnerabilities, where malicious input is not properly encoded or escaped, allowing it to be executed as malicious code by the web browser.

CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) – This CWE entry covers command injection vulnerabilities, where attackers can inject malicious code into an operating system command that is executed by the software system.

CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) – This CWE entry covers SQL injection vulnerabilities, where attackers can inject malicious code into an SQL statement that is executed by the software system, allowing them to access sensitive information or execute arbitrary code.

CWE-120: Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’) – This CWE entry covers buffer overflow vulnerabilities, where attackers can cause a software system to write data beyond the boundaries of a buffer, leading to a crash or arbitrary code execution.

CWE-121: Stack-based Buffer Overflow – This CWE entry covers stack-based buffer overflow vulnerabilities, where attackers can cause a software system to write data beyond the boundaries of a buffer stored on the stack, leading to a crash or arbitrary code execution.

CWE-400: Uncontrolled Resource Consumption (‘Resource Exhaustion’) – This CWE entry covers resource exhaustion vulnerabilities, where attackers can cause a software system to consume a large amount of resources, such as memory or CPU time, leading to a denial-of-service attack.

CWE-22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) – This CWE entry covers path traversal vulnerabilities, where attackers can access files or directories outside of the intended scope of the software system, allowing them to access sensitive information or execute arbitrary code.

Top 10 latests CVE related to Improper Input Validation

CVE-2023-24495 – A Server Side Request Forgery (SSRF) vulnerability exists in Tenable.sc due to improper validation of session & user-accessible input data. A privileged, authenticated remote attacker could interact with external and internal services covertly.

CVE-2023-24494 – Уязвимость хранимых межсайтовых сценариев (XSS) существует в Tenable.sc из-за неправильной проверки введенных пользователем данных перед их возвратом пользователям. Прошедший проверку подлинности удаленный злоумышленник может воспользоваться этим, убедив пользователя щелкнуть специально созданный URL-адрес, чтобы выполнить произвольный код скрипта в сеансе браузера пользователя.

CVE-2023-24493 – A formula injection vulnerability exists in Tenable.sc due to improper validation of user-supplied input before returning it to users. An authenticated attacker could leverage the reporting system to export reports containing formulas, which would then require a victim to approve and execute on a host.

CVE-2023-21607 – Adobe Acrobat Reader versions 22.003.20282 (and earlier), 22.003.20281 (and earlier) and 20.005.30418 (and earlier) are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

CVE-2023-21596 – Adobe InCopy versions 18.0 (and earlier), 17.4 (and earlier) are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

CVE-2023-21588 – Adobe InDesign version 18.0 (and earlier), 17.4 (and earlier) are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

CVE-2023-21446 – Improper input validation in MyFiles prior to version 12.2.09 in Android R(11), 13.1.03.501 in Android S( 12) and 14.1.00.422 in Android T(13) allows local attacker to access data of MyFiles.

CVE-2023-21439 – Improper input validation vulnerability in UwbDataTxStatusEvent prior to SMR Feb-2023 Release 1 allows attackers to launch certain activities.

CVE-2023-21434 – Improper input validation vulnerability in Galaxy Store prior to version 4.5.49.8 allows local attackers to execute JavaScript by launching a web page.

CVE-2023-21431 – Improper input validation in Bixby Vision prior to version 3.7.70.17 allows attacker to access data of Bixby Vision.

List of popular exploits Improper Input Validation

Here is a list of popular exploits related to Improper Input Validation:

  • SQL-инъекция

  • Межсайтовый скриптинг (XSS)

  • Ввод команды

  • Переполнение буфера

  • Path Traversal

  • Удаленное выполнение кода (RCE)

  • Разделение HTTP-ответа

  • Integer Overflow

  • Log Injection

  • Format String Attack

  • Внедрение кода

  • Обход каталога

  • Раскрытие информации

  • Внедрение LDAP

  • Подделка запросов на стороне сервера (SSRF)

Where to test for Improper Input Validation?

Improper Input Validation can be tested in several ways, including:

  1. Black Box Testing: In this type of testing, you don’t have access to the source code, and you test the application by providing inputs and observing the output. This is a good way to test for Improper Input Validation in a real-world scenario.

  2. White Box Testing: In this type of testing, you have access to the source code and can test the application from the inside. This is a good way to identify the specific areas of the code where Improper Input Validation is a concern and to test the input validation logic.

  3. Penetration Testing: In this type of testing, a security professional simulates a real-world attack on the application to identify vulnerabilities, including Improper Input Validation.

  4. Automated Scanning Tools: There are several automated tools available that can be used to scan for Improper Input Validation, such as Burp Suite, OWASP ZAP, and Nessus. These tools can identify vulnerabilities in the application and provide recommendations for remediation.

  5. Manual Testing: This type of testing involves manually testing the application by providing inputs and observing the output. This can be a time-consuming process, but it is an effective way to identify Improper Input Validation, especially if you have a deep understanding of the application and the underlying technology.

It’s important to test for Improper Input Validation in multiple ways to ensure that the application is secure. No single method is foolproof, and a combination of testing methods is often necessary to identify all possible vulnerabilities.

Books with review of Race condition Improper Input Validation

Here are some books that cover the topic of race conditions and Improper Input Validation:

“Руководство хакера веб-приложений” by Dafydd Stuttard and Marcus Pinto: This book provides a comprehensive guide to finding and exploiting security vulnerabilities in web applications, including race conditions and Improper Input Validation. It covers a wide range of topics, from the basics of web application security to advanced exploitation techniques.

“Безопасное кодирование на C и C ++” by Robert C. Seacord: This book provides a comprehensive guide to writing secure code in C and C++, including coverage of race conditions and Improper Input Validation. It covers a wide range of topics, including input validation, error handling, buffer overflows, and concurrent programming.

“Black Hat Python” by Justin Seitz: This book provides a practical guide to hacking with Python, including coverage of race conditions and Improper Input Validation. It covers a wide range of topics, from setting up a hacking environment to exploiting vulnerabilities in web applications and network protocols.

“Хакерство: искусство эксплуатации” by Jon Erickson: This book provides a comprehensive guide to hacking and exploiting vulnerabilities, including coverage of race conditions and Improper Input Validation. It covers a wide range of topics, from the basics of programming to advanced exploitation techniques.

“Взлом серой шляпы: руководство этичного хакера” by Allen Harper, Shon Harris, Jonathan Ness, Chris Eagle, Terron Williams, and Ryan Linn: This book provides a comprehensive guide to ethical hacking, including coverage of race conditions and Improper Input Validation. It covers a wide range of topics, from the basics of hacking to advanced exploitation techniques.

“Руководство по шеллкодеру: обнаружение и использование дыр в безопасности” by Chris Anley, John Heasman, Felix Lindner, Gerardo Richarte – This book is focused on the exploitation of security vulnerabilities in software and includes a section on race conditions and how they can be used to attack a system.

“Web Application Obfuscation: Attack and Defense” by Sherif Koussa and Samuel Chen – This book specifically focuses on the security of web applications and provides a detailed explanation of race conditions and input validation in this context.

“Безопасное кодирование: принципы и практика” by Mark G. Graff and Kenneth R. van Wyk – This book provides a comprehensive overview of software security and covers various topics including race conditions and input validation.

List of payloads suitable for Improper Input Validation

Here is a list of some common payloads used to exploit improper input validation:

  1. SQL Injection payloads – These payloads are designed to manipulate SQL statements in a way that allows an attacker to execute arbitrary SQL commands on a database.

  2. Cross-Site Scripting (XSS) payloads – These payloads are designed to inject malicious scripts into a web page viewed by other users.

  3. Command Injection payloads – These payloads are designed to inject and execute arbitrary system commands on a target system.

  4. Buffer Overflow payloads – These payloads are designed to overflow the memory buffer allocated for user input, leading to the execution of arbitrary code.

  5. File Inclusion payloads – These payloads are designed to manipulate file paths to include malicious files on a target system.

  6. Path Traversal payloads – These payloads are designed to manipulate file paths in a way that allows an attacker to access sensitive files outside of the intended directory.

It’s important to note that improper input validation can lead to a wide range of security vulnerabilities, and attackers will often combine different payloads and techniques in order to achieve their goals.

Mitigations for Improper Input Validation

Here are some best practices for mitigating improper input validation:

  1. Input Validation: Validate all user input on the server-side before processing it. This can be done using techniques such as type checking, length checking, and range checking.

  2. Input Sanitization: Sanitize all user input to remove any potentially harmful characters or elements, such as special characters or scripts. This can be done using techniques such as escaping, encoding, or stripping characters.

  3. Use Prepared Statements: When working with databases, use prepared statements instead of concatenating user input into SQL statements. Prepared statements separate the input from the command, making it much more difficult for attackers to inject malicious input.

  4. Limit Input Length: Limit the length of user input to prevent buffer overflows and other forms of overflow attacks.

  5. Use a Web Application Firewall (WAF): A WAF can help to mitigate the impact of improper input validation by blocking known malicious payloads and other types of malicious input.

  6. Regular Security Audits: Regular security audits can help to identify and mitigate improper input validation and other security vulnerabilities in a timely manner.

  7. Stay Up-to-Date: Stay up-to-date with the latest security best practices and vulnerabilities, and apply appropriate patches and updates to your systems to ensure that they are protected against the latest threats.

How to be protected from Improper Input Validation

  1. Use Secure Applications: Use secure and well-vetted applications that have been properly tested and validated to ensure that they are protected against common security vulnerabilities, including improper input validation.

  2. Keep Software Up-to-Date: Keep all software up-to-date, including operating systems, applications, and browser plugins. Software updates often include security patches that can help to protect against new and emerging threats, including those related to improper input validation.

  3. Use Strong Passwords: Use strong and unique passwords for all online accounts, and consider using a password manager to securely store and manage your passwords.

  4. Be Cautious of Public Wi-Fi: Be cautious when using public Wi-Fi networks, as these networks can be vulnerable to attacks that exploit improper input validation. Avoid entering sensitive information, such as passwords and credit card numbers, while connected to public Wi-Fi.

  5. Use Antivirus and Anti-malware Software: Use antivirus and anti-malware software to help protect your devices against malware and other security threats, including those that exploit improper input validation.

  6. Be Vigilant: Be vigilant and pay attention to any warning messages or error messages that appear when using software, as these can indicate that an application is vulnerable to improper input validation.

  7. Educate Yourself: Stay informed and educate yourself about the latest security threats, including those related to improper input validation, and take steps to protect yourself and your information.

Заключение

Improper Input Validation is a security vulnerability where user input is not properly checked before processing. It can lead to various security issues such as SQL injection, XSS, buffer overflows, etc. Mitigation includes proper validation and sanitization, prepared statements, limited input length, WAFs, regular security audits and software updates. Protection involves using secure applications, updating software, strong passwords, caution on public Wi-Fi, antivirus/anti-malware software, vigilance, and education. Improper Input Validation is a serious threat and requires proper measures for protection.

Другие Услуги

Готовы к безопасности?

Связаться с нами