Link Injection (facilitates Cross-Site Request Forgery)

 

Link Injection (facilitates Cross-Site Request Forgery)

应用程序问题

 

WASC分类：Content Spoofing

 

参考：http://www./projects/threat/classes/content_spoofing.shtml

 

错误级别：

         中等（Medium）

 

风险：

         骗取用户提供敏感信息：用户名、口令、email、信用卡账号等

         可以偷盗或者操作用户Session和Cookie，这样攻击者可以扮演一个合法的客户进行操作。

         上传、修改、删除Web页面，脚本获取其他Web上的文件

 

技术说明：

         Link Injection 修改页面，埋入引向外部网站的URL，或者脚本。通过在受攻击的网站埋入URL，攻击者可以使用它来作为一个平台，对其他网站进行攻击，就像针对受攻击网站一样。

         其中的一些攻击需要用户登录受攻击的网站。通过从受攻击网站攻击它自己，攻击者增加了攻击的成功可能性，因为用户都乐意登录。

         Link Injection攻击是缺少对用户输入的检查，随后返回给用户而造成的后果。注入危险的字符到返回中，使得攻击者嵌入URL成为可能，还包括一些内容的修改。

 

         例子：

         链接：HTTP://www.vulnerable.com/greet.asp?name=John Smith　：显示的结果如果是：你好 John Smith

修改成： HTTP://www.vulnerable.com/greet.asp?name=<IMG SRC="http://www.ANY-SITE.com/ANYSCRIPT.asp"> ：结果返回后，

<HTML> <BODY>     Hello, <IMG SRC="http://www.ANY-SITE.com/ANY-SCRIPT.asp">. </BODY> </HTML>

 

将促使用户的brower自动发送请求到攻击者希望到的地方，

作为结果，可能采用多种方式：

1.       CSRF：Cross-Site Request Forgery

2.       Cross-Site Scripting

 

         对于攻击者来说嵌入一个指向怀有恶意的站点的链接，且这个站点类似于被攻击的站点。不小心的使用者会点击这个链接，并且没有意识到他离开了原来的网站，到一个怀有恶意的网站。攻击者可能诱使使用者从心理登录，获取用户的身份属性。

 

解决方法：

         对用户的输入进行检查、消毒。

 

 

 

 

 

 

 

Link Injection (facilitates Cross-Site Request Forgery)

Application

 

WASC Threat Classification

       Client-side Attacks: Content Spoofing

       http://www./projects/threat/classes/content_spoofing.shtml

 

CVE Reference(s)

N/A

 

Security Risks

       It is possible to persuade a naive user to supply sensitive information such as username, password, credit card number, social security number etc.

       It is possible to steal or manipulate customer session and cookies, which may be used to impersonate a legitimate user, allowing the hacker to view or alter user records, and to perform transactions as that user

       It is possible to upload, modify or delete web pages, scripts and files on the web server

 

Possible Causes

       Sanitation of hazardous characters was not performed correctly on user input

 

Technical Description

       Link Injection is the act of modifying the content of a site by embedding in it a URL to an external site, or to a script in the vulnerable site. By embedding a URL in the vulnerable site, an attacker is then able to use it as a platform to launch attacks against other sites, as well as against the vulnerable site itself. Some of these possible attacks require the user to be logged in to the site during the attack. By launching these attacks from the vulnerable site itself the attacker increases the chances of success, because the user is more likely to be logged in.

       The Link Injection vulnerability is a result of insufficient user input sanitation, which is later returned to the user in the site response. The ability to inject hazardous characters into the response makes it possible for attackers to embed URLs, among other possible content modifications.

       Below is an example for a Link Injection (We will assume that site "www.vulnerable.com" has a parameter called "name", which is used to greet users).

       The following request:

              HTTP://www.vulnerable.com/greet.asp?name=John Smith

       Will yield the following response:

      

<HTML> <BODY> Hello, John Smith. </BODY> </HTML>

 

       However, a malicious user may send the following request:

              HTTP://www.vulnerable.com/greet.asp?name=<IMG SRC="http://www.ANY-SITE.com/ANYSCRIPT.asp">

       his will return the following response:

<HTML> <BODY>     Hello, <IMG SRC="http://www.ANY-SITE.com/ANY-SCRIPT.asp">. </BODY> </HTML>

 

       As this example shows, it is possible to cause a user‘s browser to issue automatic requests to virtually any site the attacker desires. As a result, he may use this Link Injection vulnerability to launch several types of attack:

Ø  Cross-Site Request Forgery:
An attacker is able to cause the user‘s browser to send a request to a site where the user is currently logged in, and perform actions that the user did not intend to do. Such actions may include unregistering from the site, or modifying the user‘s profile, email address or even password, which could result in a complete account takeover.

Ø  Cross-Site Scripting:
Any Cross-Site scripting attack begins with the act of luring users into clicking a specially crafted URL that exploits vulnerability in the victim site. This is usually done by sending emails that contain the malicious link, or creating a web site that contains a link to the vulnerable site.

With the Link Injection vulnerability, it is possible to embed a malicious URL in site A, that when clicked will launch a Cross-Site Scripting attack against site B.

       Phishing:

       It is possible for an attacker to inject a link to a malicious site that resembles the attacked site. An incautious user may click it and not realize that he is leaving the original site and surfing to a malicious site. The attacker may then lure the user to login again, thus acquiring his login credentials.

 

General Fix Recommendations

       There are several issues whose remediation lies in sanitizing user input.

       By verifying that user input does not contain hazardous characters, it is possible to prevent malicious users from causing your application to execute unintended operations, such as launch arbitrary SQL queries, embed Javascript code to be executed on the client side, run various operating system commands etc.