Injections... again?

yeah my company ladies and gentlemen uh our next speaker is mark modly he'll be asking questions regarding injections all right everybody i hope that we are not that tired so we could pay a little attention today as well at the end of the day so injections uh i believe that we've heard quite a lot of injections in the past two years i would say i guess i read more articles in the two years uh than ever before about injections but today we should not really talk about these kind of induction injections and have a little bit of talk about the ovus category injection so my name is mark moodley i really love to teach and

before the actual presentation they told me that good presentation has got three key ingredients one of them that it is short the other one it is not really long and the third one that it ends soon so i'm going to start uh by saying that or promising that that i'm going to shorten my presentation in order to fit the time frame that we've got over here so i do not really like to talk about myself in these kind of situations the people who met me during lunch big day know that i'm quite talkative so after the little presentation feel free to reach out we could have a little talk and after midnight we can leave as well so

uh besides us uh besides pun intended uh there is another company or i would say organization which is quite fond of injections and this logo should help us out as well so uh what is this organization this is called the ovas the open web application security project and they have quite a few projects i would say which i really adore and one of those is the overstock 10. i really like the thread dragon which is a threat modeling tool provided by august completely free and the zed attack proxy codes up as well but i really like this project because it sums up the most recent vulnerabilities i would say uh and therefore it is always a good point to have a

picture about the current stance of the i.t security or the web word i would say so in the most recent of us top 10 release it was actually last year in 2021 we've got a completely new uh topic which is called injection nobody ever heard about it right no that's right who said no may the duck bee video please give it a so uh it wasn't introduced last year but it was introduced the year before right where is there was the other note coming from all right i've got a few of them so be prepared all right so it wasn't introduced in 2017 what year was it introduced uh no we are getting closer and closer but

it still wasn't uh introduced in this year and i believe it wasn't introduced in this year as well but in the meantime you've got your duck as well so let's see uh was it introduced this year we are getting tougher and tougher and the answer to that is still freaking no so basically the injection uh was introduced in 2003 is there anybody in the audience who was born after this date ahead so as you can see if a vulnerability is freaking older than some of the audience there is something clearly going on right yeah i heard it right so uh we could talk about a lot of kinds of injections and i brought here a few

but to be more current today we had pretty amazing actually quite amazing uh talks and two of them stood out for me uh because of the mentions of injections one of those was with our arp injection basically route injection and that's quite amazing that we talked about and it is still not on the slide the other topic that we've had was the first github issues do we remember what the issue was with the github i guess pipeline or runners what injection was there it was a command injection all right so uh we've got quite a lot of injections around us what the hell is on the screen is there anybody who could tell me go ahead

it is actually a tree injection or it is called a trunk injection in sometimes so is there anybody who's got closer to the definition what injection is at freaking over i'm not surprised by the lack of fans over over there in the audience so what on earth are injections at all so basically we start to say everything is an injection right i believe that we do not really have any clear-cut definition on injection itself so i've came up or actually with the team we've came up with two those two definitions which could shed some light on what we call injections like data escaping to the contour control flow that's something that we would say that's right

basically if we are talking about for example gpqr java persistence query language injections that's mostly true as well we could talk about unexpected input content or with side effects on the application or inside the application itself i'm quite all right with these definitions the ovus foundation uses kind of a different explanation to this topic which is injection occurs when untrusted data is sent to an interpreter as part of a command or a query well i honestly do not really like like this definition uh because sometimes there are no actual parser that's involved in that as we've seen today in the arp uh poisoning or the our crowd injection there is no actual processing there which is

i would say different or would be different if we sanitize that data that is completely changed so uh let's agree that i do not really want to define injection itself but just last and let's agree that it has to do something at least with the unexpectedness of the input that we are working on or yeah it has at least side effects so of us uh ovas is merging topics into injection in the most recent change if you uh take a look at that i know that it is blurry uh but if you are familiar with the ovus topics that in that now you should know that basically cross-site scripting got merged into injection as well

for me that's ca that's kind of a strange behavior or decision and let me tell you a little story in 2002 i believe i i created a content management system because their php was all the rage and web 2 was something that everyone was like quite looking into and uh we were taking a look at that wow this new web thing is shiny and everything i know i'm old as hell and i was running with the dinosaurs at one point i can see from the eyes of the audience but yeah basically uh that point we were creating the web and we were quite fond of that stuff one day my created content management system was hacked by none else but my

close friend and he told me that he's done that in a way that he was able to embed javascript in one of the uh codes that he was allowed to written because it was so sophisticated that it had different privilege levels uh administers administrators and content creators and he was able to stall the contents of my cookies and i was like all right back then there was no csp and http only cookies such fancy things didn't really exist then and basically uh we wouldn't even uh mention that cross site resource sharing who heard about those things back then basically those were non-existent and for me this is the point where i start to believe that

injection is way broader than it should be so in 2003 the very first ovasp the very first over stockton uh mentioned the command injection flow the next year in 2004 it got renamed the category post homelessly to injection flows because they broadened it in that year as well so in 2021 it got just the category of injection and you could believe anything that's what's in there your application needs to be checked against the overstopped and issues because sometimes that's the criteria which is dumb in itself not to mention that but uh injection contains now almost everything that you could imagine we've heard today at least three or four topics that we're considering uh that could be considered as injection i

would say so i've developed software quite a lot in my life and what ovasp is doing right now is similar when you've got a project manager who is unable to say no to new feature requests and basically like a snowball our injection is getting bigger and bigger and bigger we do not even know right now what injection consists of on on the slide we've seen like i don't know 10 20 or something like that of injections and we still haven't written everything over there there are quite a lot of things so this got me thinking what else could be considered as an injection which was on the overstocked and list quite recently and i would argue that

what you can do you can consider uh xml external entity attacks as injections as well but of course we need to rename that topic into dtd injection because you are injecting document type definitions into that that's a point to that i would not really merge this topic into injection as well but yeah you could do so have you ever heard about request smuggling nice a few hands up all right would we rename request muggling into packet injection or something like that not that freaking all right i think this tendency really has to stop uh because over is just over populating i would say the injection space and i do not really like that so quite a while ago i was working

with atelco company and they had different vendors to choose from and how do you choose a vendor in i.t security sometimes uh if you are constricted really you do not have the choice to choose because the space is so limited at the moment that basically if you uh get a paper that says that you've done the oscp then you are considered an expert and every word of yours is true no matter what do not blame me it is still a good certification and some certifications are pretty good but uh just because you've got a certification it does not matter uh in terms of real life work because sometimes you do not even know uh what

you should be looking for and in this vendor selection process we've created fake sites and it wasn't for the taco company it was a previous project we created fake sites and basically we ordered penetration tests for the from the vendors and we told them that all right bring us everything from that site which is missing which is problematic and uh sadly but surely uh we haven't got everything back back that's expectable it was a 10-day time frame and we hit so many bugs in there even the creators we did not know how many were there uh but there were some intentionally hidden uh features which were not really recovered then so i'm gonna take just a few minutes uh from

your time and share you really just a few not so common injections so anybody does we recognize do we recognize what this is for or what payloads are these have you got the dock now you do all right so uh it's template injections what we have here better to be said it is server-side template injection because uh it is better to execute code or do anything on the server side because that's where the key that's where the data is and that's where the real value hides so how do we do the server side template injection uh with the abbreviation of ssdi so first of all we just send an input which should be rendered on any page or in pdf documents for

example i really love when sites have pdf exports because most of them is using the free marker uh template engine and therefore if you are looking up the free marker template engine codes or exploits there is quite a bunch of them and you are able to execute system commands in there which is quite a win i would say so then just invoke the requested resource and when the template is injected basically in most of the cases uh we've got code execution but uh what we always have we are able to exfiltrate data from the server itself so uh yeah i would say that's something that need to be considered on and if you are working as a penetration tester or uh do

you do bug bounties or even have some experience in like capture the flags ctf games i would advise looking on those i believe that the lead boys are here aren't they all right so uh please do your ctf chores and start your ctf team basically as far as i know the hungarian ctf teams are quite behind in the words order if i could say so and we need to work those up those are rocky numbers we need to pump that up so what is our next injection topic that i would like to talk about only just a little bit because it is not really something that most of the vap penetration testers would be interested

in so have we ever heard about dln injections

i should have gotten more ducks honestly this is my last lonely duck so uh be prepared for her so um we heard about dln injections before so uh dll injections is uh more likely a tool for malware harvard and in or privilege escalation world what you've used for and not like the web applications so what you do is you get the handler of a process and basically modify the memory of the process i'm not really getting into the details of it you are modifying the memory of the process and later on uh you are basically able to take over from that process or create fork a new process from there where you could work with the

rights of the original process meaning that it is a tool uh which could be used for privileged pre-village escalation purposes sorry it is getting long for me as well so i just want to say that reflective loading is another topic if you are into dll injections it is uh getting more clever and clever because we need to avoid antiviruses and stuff so we do not really write on the disk and therefore we could fly under the radar uh for a little bit uh in the talk description that i've gave there is one question why do people dismiss the category of injection or injection as a topic any guesses

i believe they do not dismiss it at all have you got a doc oh then someone is still obligated to have a duck in the at the end of the talk so people do not really dismiss the injection as a topic it just got so bright and basically there are a few hundred i would say that if we came together with amex injections and log injections and cookie injections and stuff that it is impossible to handle it as a single entity uh let me share you one story so a friend of mine uh wrote oh my god that was in the early days so even before some of the audience was born uh we had the browser engine conqueror do

we remember that it's it's not a fresh one i would say uh you you have so basically one of my friend modified the browser engine and with each http request he created or sent a cookie to the server which contained nothing else than admin equals one so it's laughable it is so dumb to do really it it is so dumb but the results were out of this world honestly i haven't seen so many pages broken into by one odd equal or sorry a cookie by administ was one and uh the fun thing that he created uh i i told him that i'm going to give this talk and i really like this example and he told me that

just for fun service he basically created an extension to chrome as well uh which does the same exact thing and he told me that he was able to get it was last week or some sum around that uh he was able to get an administration panel without logging into the system uh of a hungarian web shop i do not recommend to get around and test out hungary and web shops with this technique but well yeah we are here with injection topics so you could get administrator rights on web shops basically with a joke like this so we learned that actually we are really really behind in terms of understanding injection we do not really have a commonly acceptable

i would say definition for it and right now i think the key takeaway is that we should not generalize the topics to the point of obviation is there any question i should answer

if there is none i just hope that this talk will end the generalization of injection uh topics in the overstock then and so there will be no sequel to it mark thank you very much [Applause] i hope you've enjoyed who's the youngest member of the audience

yeah the other extreme is also nice so if you've got any question or just want to hear some fun stories about injection feel free to uh reach me out i'm still at the conference and enjoy the rest of it there is one talk left as far as i know