AttackFlow Findings Dictionary

Finding A Way To Try AttackFlow Enterprise Edition?

If so, click to download 15 days full version for free!

Network Connection Identifier Injection

The attacker starts to change and steer the behaviour of a system network resource such as open connections to a target system of his choosing using application resources

Severity

High

Fix Cost

Low

Trust Level

High

Web applications need to open network outbound connections to other systems such as HTTP(S), FTP or raw socket connections. Identifiers are used when opening such connections such as IP addresses, URLs, ports etc.

Sometimes, due to the nature of the application, these identifiers are instructed by the untrusted end-user using HTTP parameters.

Let the backend code is similar to the following snippet;

                            
String url = "http://internalapp:" + Request["port"];
WebRequest request = WebRequest.Create(url);
HttpWebResponse res = (HttpWebResponse) request.GetResponse();
                 
            

Using the application backed up by the above code, an attacker can send any ports through HTTP parameter port and from responses, he can execute a port scan on internalapp, which he doesn’t have a direct access. A denial of service attack could also be possible in this situation. It could also be possible to change the domain name, if the we, as developer, had a code line such as;

                
String url = "http://" + Request["domain"];
WebRequest req = WebRequest.Create(url);
HttpWebResponse res = (HttpWebResponse) request.GetResponse();
                
            

Every injection attack occurs because of mixing code and untrusted data in the code. As developers, we are rarely provided secure APIs in order to keep these two information (code and data) apart, until the runtime. In the above code, mixing the data, as domain coming from the user, and code, as the partial URL in the program, result in Network Identifier injection. The attacker can potentially manipulate the URL and access other systems that he can’t access otherwise.

Web applications need to open network outbound connections to other systems such as HTTP(S), FTP or raw socket connections. Identifiers are used when opening such connections such as IP addresses, URLs, ports etc.

Sometimes, due to the nature of the application, these identifiers are instructed by the untrusted end-user using HTTP parameters.

Let the backend code is similar to the following snippet;

            
String targetURL = "http://internalapp:" + request.getParameter("port");
try {
URL url = new URL(targetURL);
connection = (HttpURLConnection) url.openConnection();
connection.setRequestMethod("POST");
connection.setRequestProperty("Content-Type", "application/x-www-form-urlencoded");
...
                
            

Using the application backed up by the above code, an attacker can send any ports through HTTP parameter port and from responses, he can execute a port scan on internalapp, which he doesn’t have a direct access. A denial of service attack could also be possible in this situation. It could also be possible to change the domain name, if the we, as developer, had a code line such as;

                
String targetURL = "http://" + request.getParameter("url");
try {
URL url = new URL(targetURL);
connection = (HttpURLConnection) url.openConnection();
connection.setRequestMethod("POST");
connection.setRequestProperty("Content-Type", "application/x-www-form-urlencoded");
...
                

Every injection attack occurs because of mixing code and untrusted data in the code. As developers, we are rarely provided secure APIs in order to keep these two information (code and data) apart, until the runtime. In the above code, mixing the data, as domain coming from the user, and code, as the partial URL in the program, result in Network Identifier injection. The attacker can potentially manipulate the URL and access other systems that he can’t access otherwise.

Finding A Way To Purchase AttackFlow Enterprise Edition?

If so, click to buy now for yearly subscriptions!