The reason why your exploit does not work

This post will explain to you, why it is that in Java most of the command line injection vulnerabilities in most common cases could not be exploited with:

  • && dir
  • ; ls

 

There are two options for running a command:

  1. Send the whole command to the OS shell (CMD or /bin/sh) and let Java parse & run it.
  2. Split the words of the command into an array, execute the first word, and pass the rest as parameters.

 

The difference is when, for example, the command is:

Notepad.exe a.txt && dir

The first method will run both commands (open  Notepad with the file a.txt and, if it will succeed, run the command dir). The second method will pass the ‘&&’ and ‘dir’ as  parameters to the notepad.exe program. Therefore, ‘&&’ and ‘dir’ will not run.

This is also the difference between the ‘system’ function in C language which works as the first method, and ‘Runtime.exec’ function in Java which works with the second method.

Read more

X-Frame-Option is dead, long live Content Security Policy!

Clickjacking, (A.K.A UI Redress attack) is an attack in which an attacker utilizes multiple transparent or opaque layers in order to trick a client into clicking on a button or link on a different page; they are then mislead to think they were clicking the top level page link. Accordingly, the attacker is “hijacking” clicks meant for their page and routing them to the other, probably owned by another application and/or domain. With a carefully crafted combination of stylesheets, iframes, and text boxes, users can also be led to believe they are typing in the password to their own email or bank account,rather than typing into an invisible frame controlled by the attacker.

Existing anti-clickjacking measures include frame-busting codes and X-Frame-Options, yet it cannot be used to protect resources where the set of origins that ought to be permitted and denied is unknown, where attacks may originate from origins expected to be permitted by a use scenario, or defend against timing-based attacks which include multiple windows rather than multiple frames. Frame-busting scripts also rely on browser behavior that has not been designed to provide a security ensure. As a consequence, such scripts may be unreliable if loaded inside a sandbox or otherwise disabled.

Content Security Policy (CSP) is a declarative policy that lets a web application restrict the behavior of a document, e.g. the origins where it can load its resources from or the ways it can execute scripts. By controlling the presentation or the interactivity of a resource when its interacts with the user, it may be used  in an ambiguous or deceitful context due to the spatial and/or transient contiguity with other content displayed by the user agent.

Read more