Kingdom: Input Validation and Representation

Input validation and representation problems ares caused by metacharacters, alternate encodings and numeric representations. Security problems result from trusting input. The issues include: "Buffer Overflows," "Cross-Site Scripting" attacks, "SQL Injection," and many others.

Object Injection

Abstract
Deserializing untrusted data allows the injection of arbitrary PHP objects, which can cause the program to execute malicious commands on behalf of an attacker.
Explanation
Object injection vulnerabilities occur when untrusted data is not properly sanitized before being passed to the unserialize() function. Attackers could pass specially crafted serialized strings to a vulnerable unserialize() call, resulting in an arbitrary PHP object(s) injection into the application scope. The severity of this vulnerability depends on the classes available in the application scope. Classes implementing PHP magic method such as __wakeup or __destruct will be interesting for the attackers since they will be able to execute the code within these methods.

Example 1: The following code shows a PHP class implementing the __destruct() magic method and executing a system command defined as a class property. There is also an insecure call to unserialize() with user-supplied data.


...
class SomeAvailableClass {
public $command=null;
public function __destruct() {
system($this->command);
}
}
...
$user = unserialize($_GET['user']);
...


In Example 1, the application may be expecting a serialized User object but an attacker may actually provide a serialized version of SomeAvailableClass with a predefined value for its command property:


GET REQUEST: http://server/page.php?user=O:18:"SomeAvailableClass":1:{s:7:"command";s:8:"uname -a";}


The destructor method will be called as soon as there are no other references to the $user object and then it will execute the command provided by the attacker.

Attackers may chain different classes declared when the vulnerable unserialize() is being called using a technique known as "Property Oriented Programming", which was introduced by Stefan Esser during BlackHat 2010 conference. This technique allows an attacker to reuse existing code to craft its own payload.
References
[1] Johannes Dahse, Nikolai Krein, and Thorsten Holz Code Reuse Attacks in PHP: Automated POP Chain Generation
[2] Stefan Esser Utilizing Code Reuse/ROP in PHP Application Exploits
[3] Standards Mapping - Common Weakness Enumeration CWE ID 502
[4] Standards Mapping - Common Weakness Enumeration Top 25 2019 [23] CWE ID 502
[5] Standards Mapping - Common Weakness Enumeration Top 25 2020 [21] CWE ID 502
[6] Standards Mapping - Common Weakness Enumeration Top 25 2021 [13] CWE ID 502
[7] Standards Mapping - Common Weakness Enumeration Top 25 2022 [12] CWE ID 502
[8] Standards Mapping - Common Weakness Enumeration Top 25 2023 [15] CWE ID 502
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754
[10] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[13] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.5.2 Input and Output Architectural Requirements (L2 L3), 5.5.1 Deserialization Prevention Requirements (L1 L2 L3), 5.5.3 Deserialization Prevention Requirements (L1 L2 L3)
[14] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[15] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[16] Standards Mapping - OWASP Top 10 2010 A1 Injection
[17] Standards Mapping - OWASP Top 10 2013 A1 Injection
[18] Standards Mapping - OWASP Top 10 2017 A8 Insecure Deserialization
[19] Standards Mapping - OWASP Top 10 2021 A08 Software and Data Integrity Failures
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.2
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.5 - Web Software Attack Mitigation
[31] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3570 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3570 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3570 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3570 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3570 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3570 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3570 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[52] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
desc.dataflow.php.object_injection
Abstract
Deserializing untrusted data allows the injection of arbitrary Ruby objects, which can cause the program to execute malicious commands on behalf of an attacker.
Explanation
Object injection vulnerabilities occur when untrusted data is not properly sanitized before being passed to a function that deserializes data such as YAML.load(). Attackers could pass specially crafted serialized strings to a vulnerable YAML.load() call, resulting in arbitrary Ruby objects being injected into the program, as long as the class is loaded into the application at the time of deserialization. This may open up a whole heap of various attack opportunities, such as bypassing validation logic to find cross-site scripting vulnerabilities, allow SQL injection through what appear to be hardcoded values, or even full code execution.

Example 1: The following code shows a Ruby class that creates a SQL query using its attributes that is then queried against the database. There is also an insecure call to YAML.load() with user-supplied data.


...
class Transaction
attr_accessor :id
def initialize(num=nil)
@id = num.is_a?(Numeric) ? num : nil
end

def print_details
unless @id.nil?
print $conn.query("SELECT * FROM transactions WHERE id=#{@id}")
end
end
end

...
user = YAML.load(params[:user]);
user.print_details
...


In Example 1, the application may be expecting a serialized User object, which also happens to have a function called print_details, but an attacker may actually provide a serialized version of a Transaction object with a predefined value for its @id attribute. A request such as the following can thus allow bypassing of the validation check that attempts to make sure @id is a numeric value


GET REQUEST: http://server/page?user=!ruby%2Fobject%3ATransaction%0Aid%3A4%20or%205%3D5%0A


If we see the decoded version of this, we see that the user parameter is assigned !ruby/object:Transaction\nid:4 or 5=5\n.
Now deserializing the user parameter will create an object of type Transaction, setting @id to "4 or 5=5". When the developer believes they will be calling User#print_details(), they will now be calling Transaction#print_details(), and Ruby's string interpolation will mean the SQL query will be changed to execute the query: SELECT * FROM transactions WHERE id=4 or 5=5. Due to the extra clause that was added, the query evaluates to true and will return everything within the transactions table instead of the single row that was intended from the developer.

Attackers may chain different classes declared when the vulnerable YAML.load() is being called using a technique known as "Property Oriented Programming", which was introduced by Stefan Esser during BlackHat 2010 conference. This technique allows an attacker to reuse existing code to craft its own payload.
References
[1] HD Moore Serialization Mischief in Ruby Land (CVE-2013-0156)
[2] Ruby Ruby Security
[3] Standards Mapping - Common Weakness Enumeration CWE ID 502
[4] Standards Mapping - Common Weakness Enumeration Top 25 2019 [23] CWE ID 502
[5] Standards Mapping - Common Weakness Enumeration Top 25 2020 [21] CWE ID 502
[6] Standards Mapping - Common Weakness Enumeration Top 25 2021 [13] CWE ID 502
[7] Standards Mapping - Common Weakness Enumeration Top 25 2022 [12] CWE ID 502
[8] Standards Mapping - Common Weakness Enumeration Top 25 2023 [15] CWE ID 502
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754
[10] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[13] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.5.2 Input and Output Architectural Requirements (L2 L3), 5.5.1 Deserialization Prevention Requirements (L1 L2 L3), 5.5.3 Deserialization Prevention Requirements (L1 L2 L3)
[14] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[15] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[16] Standards Mapping - OWASP Top 10 2010 A1 Injection
[17] Standards Mapping - OWASP Top 10 2013 A1 Injection
[18] Standards Mapping - OWASP Top 10 2017 A8 Insecure Deserialization
[19] Standards Mapping - OWASP Top 10 2021 A08 Software and Data Integrity Failures
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.2
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.5 - Web Software Attack Mitigation
[31] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3570 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3570 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3570 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3570 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3570 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3570 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3570 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[52] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
desc.dataflow.ruby.object_injection