Which symbols are safe with regards to SQL injection / XSS / other injections attacks?

I have an input field in web that is being saved to a storage via API. This field can be shown in other systems that I do not have control over and that’s why I would like to limit what is allowed to write in the field but allow some common special characters for convenience.

This is what I came up with:

  • Alphanumeric
  • Space
  • .,()-:

I would like to check if this is “safe” enough with regards to XSS injection, SQL injection and eventually any other things I did not think about.

P.S. I do know that this is not the right way to prevent an attack and I only need this because data use will be out of my control.

SQL Injection only with OR

I am doing a practise SQL injection in a search field and I don’t understand the logic of what is happening.

The following behaviours is what I noticed:

Entering ' OR '1' = '1 shows all the results.

Entering ' Shows no results (shows ‘no results found’)

Entering test shows some relevant results

Entering test' AND '1' = '1 shows nothing (not even ‘no results found’)

Entering test' OR '1' = '1 shows all the results.

What I don’t understand is that it seems the logical OR is working but not the AND. How could this be, any ideas? Any SQL commands I tried don’t seem to work (like sleep etc.) and result in nothing (not even ‘no results found’).

PS: When I tried a more complicated injection with UNION it got blocked by WAF and I bypassed it with /**/ comment blocks in the statements, this is a for a CTF challenge and i’m trying to learn about injection.

EDIT1:

Writing the result queries out makes sense:

sql = "SELECT * FROM `articles` WHERE `content` LIKE '%' OR '1' = '1%'"; sql = "SELECT * FROM `articles` WHERE `content` LIKE '%'%'"; sql = "SELECT * FROM `articles` WHERE `content` LIKE '%test%'"; sql = "SELECT * FROM `articles` WHERE `content` LIKE '%test' AND '1' = '1%'"; sql = "SELECT * FROM `articles` WHERE `content` LIKE '%test' OR '1' = '1%'"; 

EDIT2: I just tried: %’ AND ‘1%’ LiKE ‘1 results to:

sql = "SELECT * FROM `articles` WHERE `content` LIKE ‘%%’ AND ‘1%’ LiKE ‘1%'"; 

But it doesn’t show results, which means I was not right and the query is probably different 🙁

SQL injection in an ALTER statement [on hold]

I am new to stack– apologies if this isn’t allowed, I’m reposting this question here because this seems to be a more active community.

Let’s say you have a Java app which has a query which can unlock/reset passwords for users like:

ALTER USER " + iD_Of_User.toUpperCase() + " IDENTIFIED BY " + password_Of_User + " ACCOUNT UNLOCK 

Where iD_Of_User and password_Of_User definitely come in directly from an HTTP request. Basically this.

I get an error when I try to use a PreparedStatement object to parameterize the dynamic values… I guess PreparedStatement’s parameters can only be used for data values? And the ALTER query here is not using the values that way.

I don’t think input validation is even possible here– maybe on the iD_Of_User value, but almost certainly not on the password_Of_User value (which is sometimes used as a password reset– so it’s only restrictions are the Oracle 12c password standards).

Any help were would be greatly appreciated. I reviewed this post, but it didn’t give me a good solution. I’m hoping someone knows of a good way to do password resets/account unlocks in Oracle which doesn’t open the app up to SQL injection.

User’s CLI input validation for filtering out injection attacks

I am writing a python script, Gestioner.py, which checks for some service CLI commands and validates them if they are suppported or not.

I am also trying to develop a test harness to verify and test such possible security attacks Like Injection attacks, Gest_Test.py, and see that if my earlier Gestioner.py should be able to stop/filter out injection attacks.

My question is :

How can I further add such security attacks filtering functionality in ‘Gestioner.py’, to stop any security injection related inputs given through CLI commands ?

Here are some of the example ‘valid’ commands:

--binfcmd filebinf  --filecmd fileftp  --binfcmd filebinf2 --zip testzipfile2 --stat --type None --mol None 

Here is the Gestioner.py file:

#Gestioner.py #For processing the PService cli commands  from pathlib import Path import os import errno import logging import sys from collections import namedtuple sys.path.insert(0, '..')   supported_cmds = ['binfcmd','zip','stat','type','mol','sync', 'filecmd'] ISSupported = namedtuple('ISSupported', 'result desc')  ### # Base Class for processing Pservice commands ### class CmdGestioner:     def __init__(self):         None      def set_full_command(self, in_cmd=None):         self.full_command = in_cmd      def get_full_command(self):         return self.full_command      def print(self):         print("Output: ", self.full_command)      def is_supported(self, in_command):         pservice_flags = [elem for elem in in_command.split() if str(elem).startswith('--')]          # Compare pservice flags with supported version.         command_not_supported = [x for x in pservice_flags if x.strip('--') not in supported_cmds]         # Compare pservice_flags with supported version.         if (len(command_not_supported) > 0):             commands = ' '.join(str(elem) for elem in command_not_supported)             command_not_supported_strs = 'The following commands are not supported: ' + commands             print (command_not_supported_strs)             return ISSupported(                 result=False,                 desc=command_not_supported_strs)          return ISSupported(                 result=True,                 desc='')   

Test file:

#Gest_test.py  from pathlib import Path import os import errno import logging import sys from Gestioner import CmdGestioner from collections import namedtuple   # Testing application. if __name__== "__main__":   print("Command line parser program.")   cmd = CmdGestioner()   cmd_mtg_str = ''.join(str(elem) for elem in sys.argv[1:])   cmd_args = [str(elem).strip('--') for elem in sys.argv[1:] if str(elem).startswith('--')]    print ("This is the name of the script: ", sys.argv[0])   print ("The arguments are: " , str(sys.argv))   print("The cmd.print() is: ", cmd)   print ("The program arguments are: " , cmd_mtg_str)   print ("Splitting commands into groups by -- from string: ", cmd_mtg_str.strip())   flags = cmd_mtg_str.split('--')   for x in flags:       print(x)   print ('Main commands i.e. those that start with -- ', str(cmd_args))    print('finished')  

Thanks for any suggestions/guidance to work my way in the scripts.

How can i turn this xml injection into a valid XXE?

I was testing the website example.com and found a form vulnerable to XML Injection. It send the details you insert into that form as xml attachment via email to my email address and also to administrators CMS as email. It works with XSS but my question is, can this also work with XXE? and if yes, what xml code can i inject to achieve to demonstrate the presence of XXE?

The injection point is the following

<?xml version="1.0" encoding="iso-8859-1"?> <content> <firstname>Injection-Point</firstname> <lastname>Test</lastname> <telephone>75674874844</telephone> <state>TT</state> <countryInput></countryInput> <method>Email</method> <authorised>Yes</authorised> <privacy>yes</privacy> </content>

The injection is occurring in <firstname> tag. Can this be turned into a good XXE?

How exactly works this SQL injection example related to the DVWA application?

I am a software developer converting do application security and I have some doubts about SQL injection example.

I am following a tutorial related the famous DVWA: http://www.dvwa.co.uk/

So I have the following doubt (probably pretty trivial).

I have this PHP code defining the query and the code to perform it:

<?php  if( isset( $  _GET[ 'Submit' ] ) ) {     // Get input     $  id = $  _GET[ 'id' ];      // Check database     $  getid  = "SELECT first_name, last_name FROM users WHERE user_id = '$  id';";     $  result = mysqli_query($  GLOBALS["___mysqli_ston"],  $  getid ); // Removed 'or die' to suppress mysql errors      // Get results     $  num = @mysqli_num_rows( $  result ); // The '@' character suppresses errors     if( $  num > 0 ) {         // Feedback for end user         $  html .= '<pre>User ID exists in the database.</pre>';     }     else {         // User wasn't found, so the page wasn't!         header( $  _SERVER[ 'SERVER_PROTOCOL' ] . ' 404 Not Found' );          // Feedback for end user         $  html .= '<pre>User ID is MISSING from the database.</pre>';     }      ((is_null($  ___mysqli_res = mysqli_close($  GLOBALS["___mysqli_ston"]))) ? false : $  ___mysqli_res); }  ?> 

As you can see the query is definied as string concatenation:

$  getid  = "SELECT first_name, last_name FROM users WHERE user_id = '$  id';"; 

So I can inject what I want into the $ id variable and perform extra SQL code as:

$  id = 1 OR 1=1 

that will be always true. Ok this is clear.

My doubt is different:

Inserting a valid value (such as 1) into the form) I obtain this URL: http://localhost/DVWA-master/vulnerabilities/sqli_blind/?id=1&Submit=Submit#

The query is performed correctly and I am obtaining the following message result: User ID exists in the database.

If I try to insert a totally wrong ID in the form, for example “ABC” I am obtaining the following message error: User ID is MISSING from the database.. Ok, and this is ok

But if I try to insert a “wrong” value such as 1′ in the form, the following URL is generated: http://localhost/DVWA-master/vulnerabilities/sqli_blind/?id=1%27&Submit=Submit#

And I obtain a valid message: User ID is MISSING from the database.

So it seems that the query was correctly executed searching for the user with ID=1.

Why the char is not brocking the query? I was thinking that it have to search a user with ID=1′ that is not existing in the database (as the case of ID=ABC).

Why? What am I missing? Probably it is a trivial question but I want to understand it in deep

Would HTTP Header injection allow for an XSS vulnerability if content-type is application/force-download?

I am currently conducting a pentest and I found an application vulnerable to http header injection, where the user input is reflected after the Content-Type header, and the Content-Type is set to application/force-download. That is, the attacker can pass content in the GET parameter that is then reflected in the header. Imagine a request like so:

/vulnerable_application?param=reflected-header_malicious_payload 

Which then yields a reponse like so:

HTTP/1.1 200 OK Date: Wed, 06 Nov 2019 22:14:22 GMT Server: [...] Content-Length: 2 Content-Type: application/force-download; charset=UTF-16 Content-Disposition: attachment; filename=reflected-header_malicious_payload Connection: close 

I am trying to asses the severity of this finding, in particular whether it would allow for an reflected XSS attack. It seems to me that there is no way to get around the Content-Type: application/force-download which leads me to believe that the severity is pretty low.

C/C++ code injection

I know how we do code injections with scripted languages like JavaScript, SQL, PHP, etc. and pretty much wherever a execute() function is used. However, I’m still unsure about how code injection works with compiled languages like C and C++

I’ve looked up “C code injection” and “C++ code injection” on Google and our beloved StackOverflow but haven’t found much besides the fact that it uses overflows like inputting -1 for an unsigned int variable or inputting too many values for an array.

I’ve seen some CTF videos where people input strings like aaaaaa with a lot of a‘s followed by some hex values (after seeing that the program returns SegFault with those long strings) but never really got a good explanation.

My question(s): How exactly is code injection done in compiled programs (like those written with C/C++)? How do people know when to use such injections? How are programs written to avoid such injections?