Thursday, March 29, 2018

OWASP TOP 10: SSTI

This time we'll talk a little about server-side template injection (SSTI) attacks, when they occur and what to do to mitigate the risk.


Overview

As any other type of injection, SSTI is on the top of the OWASP list threatening web applications in a daily basis.  SSTI is abused when directives are injected to a user input which is unsafely embedded to a template. The effect can be catastrophic, especially when remote code execution (RCE) is possible.

POC
In the following short video, we can see how a server-side template injection occurs in a Flask with Jinja template engine. The POC is made inside of a CTF challenge so only the flag is shown and no RCE is allowed. In real-life systems, other data may be exposed which would endanger the company's assets.

 

Mitigation
The risk of accepting template directives causing a server-side template injection attack can be mitigated by rendering templates within a sandbox environment, protect user input fields by preventing the creation of templates from them and checking the documentation of the template engine for specific patches/advise in how to harden that engine.


Sources:
https://nvisium.com/resources/blog/2015/12/07/injecting-flask.html
https://portswigger.net/kb/issues/00101080_server-side-template-injection 
http://flask.pocoo.org/docs/0.12/templating/
       

Tuesday, March 27, 2018

Binary Exploitation Basics - Int Limits & Buffer Overflow

It's been a while. I've been practicing and delving more into the CTF world. Hacking capture the flag events help you not only to understand different areas in cyber security but also to think outside of the box. Lately, I've been blessed to find some easy CTFs to understand basics of binary exploitation; a subject that can be cumbersome for many, including myself.  I hope that, with this video Blog, you can understand the very basics of C integer limits and buffer overflow residing in the gets function of a C program.

Let's start.

Binary 1: C Integer Range Limitations

In the first program, accumulator.c, we are looking at an int variable ('n') being assigned to user's input, but it only allows us to have access to the (secret) flag if the variable is negative.  The problem is that it doesn't let us enter negative values.  If we enter a "too high" value, it also fails to give us the flag.

The secret I found here was to understand the limits of signed integers in a C program. As you can see in the table below, the maximum range in which an signed integer can go is 2147483647. If we enter that value, and then add one to it, the variable will go out of range causing the program to give us the minimum value of int, which is –2147483647 –1 and that will be placed into the variable giving us the flag.







Binary 2: Buffer Overflow in 'gets()' function

In this challenge we have to use a disassembler (such as gdb or objdump) to see which functions are used in the program to give/retrieve data. After a little time examining the main() function, we can see that the C program is retrieving data using the gets() function instead of fgets(). By doing a little Google search, it appears to be a common issue which leads to a buffer overflow.

By running a one liner in python we are overflowing the buffer with 500 A's, causing a segmentation fault; and because gets() does not check for bounds in the buffer, it simply gives us all the data available in the array, including the flag.


There is a simple fix for this. By using fgets() to read data, instead of gets().

I hope you enjoyed this video and learned a few things just like I did. Cheers!