Use the revised OWASP Top Ten to secure your Web applications -- Part 4
Takeaway: Malicious file execution is one more weakness caused by failing to control application input. In this, the fourth in a series on the revised OWASP Top Ten Web Application Vulnerabilities, Tom Olzak explains the nature of malicious code execution followed by recommendations for protecting Web applications from related attacks.
This article is also available as a TechRepublic download.
Malicious file execution, also listed as Insecure Remote File Include in the OWASP Top Ten, is a vulnerability caused by direct use or concatenation of unvalidated input into file or stream functions. This weakness is found in many Web applications, but it is preventable by coding processes and techniques focused on ensuring a reasonable level of software assurance.
How it works
An attacker relying on this vulnerability is typically looking for a Web application that fails to prohibit or control execution of uploaded files. PHP 4.0.4 through 5.x are by default vulnerable to this type of attack. Other environments, such as .NET and J2EE, are also vulnerable if they allow file upload and execute capabilities within Web directories.
Figure A is a simple example of a potentially dangerous construct taken from the OWASP Top 10 RC1.
Figure A |
 |
| A dangerous construct |
Tainted input can result in a file being downloaded from another server and executed within the context of the calling application. It can also be used to run local programs on systems vulnerable to local directory traversal.
Local directory traversal is the act of modifying address strings to gain access to other directories in the system on which the Web application is executing. Even if an attacker did not upload a file, knowledge of where common executables reside within certain operating system environments can provide access to scripts and other executables. Figure B is an example of a directory traversal attack.
Figure B |
 |
| Directory traversal attack |
This example, taken from the Web Application Security Consortium's Path Traversal, depicts a traversal attack using special character sequences. "../" was used to traverse up one directory in order to enter the scripts directory. "%00" allows the attacker to bypass any file extension checks. The result of this attack is a view of the file foo.cgi.
If directory permissions are incorrectly configured, the attacker could not only view the file, she could also modify and execute it. Further, malicious scripts uploaded by the attacker can be easily inserted into a directory with broken or nonexistent access controls. It isn't difficult to use this weakness to craft a malicious file execution attack.
Two additional attack vectors within this vulnerability category include:
- Uploading hostile data to session files, log data, and via image uploads
- Uploading malicious files through the use of compression or audio streams that are not properly screened
Defending against malicious file execution
The business impact of exploits against file inclusion weaknesses is directly proportional to the strength of the sandbox or other application isolation platform in place. Although .NET and J2EE applications are usually abstracted from the environment in which they execute, PHP possesses no sandbox/isolation capabilities.
Input validation is another critical element when defending against threats using file inclusion attack vectors. Validation was covered in Part 3 of this series as well as in Web Application Security: Unvalidated Input. Additional defensive measures include:
- Hide server-side filenames from the user
- Disable allow_url_fopen and allow_url_include in the PHP.INI file
- Configure firewalls so that servers can't make new connections to external Web sites or internal systems; consider network segmentation to protect critical or highly sensitive systems and data
- Consider using constants or other types of input to scripts that are not supplied by the user
- Use document type definitions to define allowed document structures
The final word
Malicious file execution is a preventable vulnerability. Coding practices that include input validation and denial of included file execution are a good start, but an effective defense against the execution of unwanted code also includes proper configuration of the underlying infrastructure. Well-designed access controls and firewall configurations support development efforts to protect information assets from an attacker successfully executing a malicious file or achieving expected attack objectives.
White Papers, Webcasts, and Downloads
- Driving business agility through SOA connectivity and integration IBM Corp. This paper describes some of the business and IT issues that enterprises ... Download Now
- Windows Activation Technologies in Windows 7 Microsoft Software piracy is one of the most significant problems facing the ... Download Now
- Twelve Ways to Reduce Costs with Microsoft(r) SQL Server(r) 2008 Microsoft Many organizations are finding themselves having to deal with difficult ... Download Now
- Live Webcast: The Power of Centralization in Distributed Development CollabNet Distributed teams are common in software development today. However ... Download Now
- Planning Activation in Isolated Environments Microsoft This guide is for IT pros maintaining the Windows? 7 and Windows Server? ... Download Now
Article Categories
- Security
- Security Solutions, IT Locksmith
- Networking and Communications
- E-mail Administration NetNote, Cisco Routers and Switches
- CIO and IT Management
- Project Management, CIO Issues, Strategies that Scale
- Desktops, Laptops & OS
- Windows 2000 Professional, Microsoft Word, Microsoft Excel, Microsoft Access, Windows XP,
- Data Management
- Oracle, SQL Server
- Servers
- Windows NT, Linux NetNote, Windows Server 2003
- Career Development
- Geek Trivia
- Software/Web Development
- Web Development Zone, Visual Basic, .NET
