- •Product Overview
- •System Specifications
- •Installation
- •Adding a User Name and Password for CodeSeeker
- •Installing ISAPI Filter into IIS 5 for Windows 2000
- •CodeSeeker Management Console Overview
- •Policy Information
- •Customizing Security Policies
- •Reports
- •Analyzing and Customizing CodeSeeker
- •Servers
- •Dot Detector
- •Hidden file detector
- •HT Configuration File Detector
- •Common Command Detectors
- •Cmd.com Script Detector
- •Null Byte Detector
- •Unicode Detector
- •Buffer Overflow Detector
- •Multiple SQL Statements Detector
- •/etc/passwd File Detector
- •/etc/shadow File Detector
- •/etc/hosts File Detector
- •Summary of Regular-Expression Constructs
- •Backslashes, escapes, and quoting
- •Line terminators
- •Unicode support
- •HTTP Status Codes
importance of UTF-8 representation stems from the fact that web-servers/applications perform several steps on their input. The order of the steps is sometimes critical to the security of the application. Basically, the steps are URL decoding potentially followed by UTF-8 decoding, and intermingled with them are various security checks, which are also processing steps. If, for example, one of the security checks is searching for .., and it is carried out before UTF-8 decoding takes place, it is possible to inject .. in their overlong UTF-8 format. Even if the security checks recognize some of the non-canonical format for dots, it may still be that not all formats are known to it.
Example
URL Encoding of the example attack:
http://host/cgi-bin/bad.cgi?foo=..%2F../bin/ls%20-al|
Unicode encoding of the example attack: http://host/cgi-bin/bad.cgi?foo=..%c0%af../bin/ls%20-al| http://host/cgi-bin/bad.cgi?foo=..%c1%9c../bin/ls%20-al| http://host/cgi-bin/bad.cgi?foo=..%c1%pc../bin/ls%20-al| http://host/cgi-bin/bad.cgi?foo=..%c0%9v../bin/ls%20-al| http://host/cgi-bin/bad.cgi?foo=..%c0%qf../bin/ls%20-al| http://host/cgi-bin/bad.cgi?foo=..%c1%8s../bin/ls%20-al| http://host/cgi-bin/bad.cgi?foo=..%c1%1c../bin/ls%20-al| http://host/cgi-bin/bad.cgi?foo=..%c1%9c../bin/ls%20-al| http://host/cgi-bin/bad.cgi?foo=..%c1%af../bin/ls%20-al| http://host/cgi-bin/bad.cgi?foo=..%e0%80%af../bin/ls%20-al| http://host/cgi-bin/bad.cgi?foo=..%f0%80%80%af../bin/ls%20-al| http://host/cgi-bin/bad.cgi?foo=..%f8%80%80%80%af../bin/ls%20-al| http://host/cgi-bin/bad.cgi?foo=..%fc%80%80%80%80%af../bin/ls%20-al| http://host/cgi-bin/bad.cgi?foo=..%c0%af..%c0%af..%c0%af../bin/ls%20-al|
Buffer Overflow Detector
The Buffer Overflow Detector checks for buffer overflows. A buffer overflow occurs when a program attempts to put more information into memory than it has allocated space to accommodate. When this error condition happens, if the size of information being stuffed into memory is not checked and limited to the size of the buffer, the extra information will overflow into other parts of memory. Generally, once this happens, your program will crash, creating a denial of service situation. But, if the information that overflows into other parts of memory is carefully crafted, it can change the program being executed and allow a malicious user to run their own code inside your server.
Buffer overflows are one of the most common security errors programmers make. It is very simple to leave a checkout or call a library function that expects a certain length without checking. On top of being very easy to create, buffer overflows are very hard to detect. This is because with valid data, buffers don't overflow, and without really good testing, buffer overflows can easily be missed during the QA process.
Multiple SQL Statements Detector
Butterfly Security CodeSeeker Application Security Solution Help
23
The Multiple SQL Statements Detector detects Direct SQL Command Injection, a technique where an attacker creates or alters existing SQL commands to gain access to unintended data or even the ability to execute system level commands on the host. This attack relies on exploiting nonexistent or poorly designed input validation routines. Databases are fundamental components of any web-based application. They enable websites to store data such as user session information, customer records, preferences and content elements. Web applications interact with databases using the Structured Query Language (SQL) to dynamically build pages containing customized data views for each user.
This is accomplished by the application taking user input and combining it with static parameters to build a SQL query. This query is used to retrieve appropriate data from the database, which the application then presents to the user.
The security model used by many web applications assumes that a SQL query is a trusted command. This means that SQL queries are able to circumvent access controls, thereby bypassing standard authentication and authorization checks. In some instances, SQL queries may allow access to host operating system level commands.
/etc/passwd File Detector
The /etc/passwd File Detector checks for /etc/passwd file entry. The passwd file on a UNIX system is the local source of information about users' accounts. With most modern UNIX, the only information an attacker can get from this file is the names of users on the system, paths for shells, and user home directories. To get encrypted passwords, an attacker generally needs to go after the /etc/shadow file.
/etc/shadow File Detector
The /etc/shadow File Detector checks for /etc/shadow file entry. The shadow file on most modern UNIX systems generally contains the encrypted password for each user as well as information about the password and its policy.
/etc/hosts File Detector
The /etc/hosts File Detector checks for /etc/hosts file entry. The hosts file associates names of hosts with their IP addresses. This file is useful to attackers as it shows information about your network topology and important hosts on your network. This file offers attackers a nice list of other prospects.
Butterfly Security CodeSeeker Application Security Solution Help
24