- Video: https://securing-the-stack.teachable.com/p/injection-fundamentals-1
- Env Setup: https://sts.tools/setup
- Ask A Question: https://sts.tools/injection-question
- Speak To Human: https://sts.tools/live-support
- Overarching Playlist: https://securing-the-stack.teachable.com/p/injection-playlist
- OWASP Top 10 2017
- Top 10 security threats to web applications
- Injection is #1 risk
- Top 10 security threats to web applications
- Who is this course for?
- Developers who have novice injection/security knowledge
- Prerequisites: None
- At the end of this episode, you'll be able to
- Understand what injection is
- Understand how execution contexts are linked to injection risks
- Evaluate code to decipher all execution contexts
- Inject a live node.js server within a safe containerized
environment
- Offense is the best defense!
- Ready? Come join me in the next lecture!
-
Webhook functionality within node application
-
Leveraging
GETfor simplicityvar userDefinedUrl = 'example.com/route'; // Allow shell access var exec = require('child_process').exec; var curl = exec('curl ' + userDefinedUrl); curl.stdout.on('data', function(data) { // Mock response console.log(data); });
-
-
Injection is introducing data with malicious intent
- This data could include unexpected commands that the program executes
-
What malicious data could be injected into
userDefinedUrl?
// Assignment: Kill the node process by entering data into `userDefinedUrl`
// Assume that the commands are being executed within a bash shell
var userDefinedUrl = 'example.com/route';
// Allow shell access
var exec = require('child_process').exec;
var curl = exec('curl ' + userDefinedUrl);
curl.stdout.on('data', function(data) {
// Mock response
console.log(data);
});
// Run: "EX_NUM=1 docker-compose up"
// File: "ep9-injection-fundamentals-part-1/src/1/app.js"
// Env Setup/Error Reporting: https://sts.tools/readme
// Questions: https://sts.tools/injection-question- Hint:
- Think about the execution context that we're focusing on (i.e., linux shell) and what delimits shell commands
pkill
// Make a PR and contribute your answers here!
// var userDefinedUrl = "example.com/route; pkill node";
var userDefinedUrl = 'example.com/route';
// Allow shell access
var exec = require('child_process').exec;
var curl = exec('curl ' + userDefinedUrl);
curl.stdout.on('data', function(data) {
// Mock response
console.log(data);
});
// Run: "EX_NUM=2 docker-compose up"
// File: "ep9-injection-fundamentals-part-1/src/2/app.js"
// Env Setup/Error Reporting: https://sts.tools/readme
// Questions: https://sts.tools/injection-questionvar userDefinedUrl = 'example.com/route; pkill node';
var curl = exec('curl ' + userDefinedUrl);-
Input is fed into an execution context (e.g., /bin/sh) which has a unique syntax (e.g.,
;)- If delimiters are allowed, injection can be very easy
-
If the input has come from an outside entity, don't trust it
- Ex: User supplied data that's coming from a database
-
What other ways can the shell context be exploited?
var userDefinedUrl = "example.com/route; echo $ENV_SECRET";
var userDefinedUrl = 'example.com/route; pkill node';
var curl = exec('curl ' + userDefinedUrl);- Syntactic Injection
- Exploiting the syntax of a given execution context
var userDefinedUrl = 'example.com/route; pkill node';
var curl = exec('curl ' + userDefinedUrl);var curl = exec("curl " + userDefinedUrl);- What execution contexts are being leveraged?
- shell
- curl
- javascript
- Always true
- What execution contexts are being leveraged?
- Additional assignment: Look for file manipulation within a codebase
and identify potential injection issues
- Sometimes file manipulations occur within a shell context
- Review video notes for links to
- Other/future episodes
- Additional resources
- Specific to other languages
- Ability to explore more in-depth
- Future episodes will cover additional execution contexts
- Thanks! :D
- None so far :)
- Please submit a PR with any additional resources.
- None. This is the first episode