1 00:00:03,960 --> 00:00:10,770 Hello, in this laboratory, we will experience exploitation and mitigation of an OS command injection 2 00:00:10,770 --> 00:00:11,610 vulnerability. 3 00:00:11,930 --> 00:00:14,870 I have set up a very simple feature on this page. 4 00:00:15,180 --> 00:00:22,590 The user can select the type of data via the combo box and by pressing the button, the value relating 5 00:00:22,590 --> 00:00:25,320 to the choice is displayed with a postback. 6 00:00:26,070 --> 00:00:32,430 Each type of combo box value corresponds to the display when the page is reloaded of an environment 7 00:00:32,430 --> 00:00:37,860 variable of the web server. For how the page functions and the values displayed 8 00:00:37,860 --> 00:00:47,070 It can therefore be assumed that there is the invocation of some operating system shell command 9 00:00:47,610 --> 00:00:49,190 on the server side. 10 00:00:54,680 --> 00:00:55,190 So. 11 00:00:56,740 --> 00:01:01,550 Command that reads and returns values of environment variables. 12 00:01:02,140 --> 00:01:09,060 So if you presume this, you can go on to test if an attack could be successful. 13 00:01:12,890 --> 00:01:16,730 Let's go to the Chrome developer's tools 14 00:01:20,490 --> 00:01:29,970 And let's identify the combo box, the Select tag, in the DOM of the page. The Select tag has three option 15 00:01:29,970 --> 00:01:32,400 elements with their values 16 00:01:33,630 --> 00:01:39,240 set to recall three server-side environment variables or commands. 17 00:01:42,680 --> 00:01:43,670 These are the 18 00:01:45,170 --> 00:01:56,180 echo %username%, the date/t, echo %cd%, which are precisely the three operating system commands 19 00:01:57,610 --> 00:01:59,800 invoked server-side. 20 00:02:08,930 --> 00:02:09,490 OK. 21 00:02:12,070 --> 00:02:12,550 So. 22 00:02:17,380 --> 00:02:22,750 Let's try to modify the value of the second option element. 23 00:02:25,730 --> 00:02:31,250 We replace the whoami command instead of the date/t command. 24 00:02:36,630 --> 00:02:41,040 And it displays the user's name, or 25 00:02:42,460 --> 00:02:56,140 We can insert now the command dir and then we can see all the server side content of the current directory. 26 00:03:00,040 --> 00:03:01,120 OK, so. 27 00:03:03,000 --> 00:03:06,540 Let's try to see how to mitigate the vulnerability. 28 00:03:09,350 --> 00:03:21,500 Now, I remove the comment to a conditional Switch block, which is used to check if the command you 29 00:03:21,500 --> 00:03:32,720 want to execute falls within one of the acceptable values or otherwise you exit the page load without 30 00:03:32,720 --> 00:03:34,100 doing anything. 31 00:03:39,930 --> 00:03:48,960 So in practice, a white list of acceptable commands is created, any other command not included 32 00:03:48,960 --> 00:03:50,070 is discarded. 33 00:03:51,240 --> 00:03:53,330 Let's try now 34 00:03:54,400 --> 00:03:57,760 to run the laboratory again with the mitigation. 35 00:03:59,530 --> 00:04:00,700 The page 36 00:04:02,320 --> 00:04:07,300 without malicious injection works as before. 37 00:04:15,040 --> 00:04:15,640 ok 38 00:04:17,840 --> 00:04:20,600 Now, i activate the developer tools again. 39 00:04:22,280 --> 00:04:23,690 And now. 40 00:04:27,030 --> 00:04:35,810 Inject a shell command dir into the second option element as before, but this time trying to click the 41 00:04:35,820 --> 00:04:38,070 button to execute the injected command 42 00:04:39,050 --> 00:04:40,810 It is not executed. 43 00:04:42,360 --> 00:04:43,320 So thank you.