Secure Coding Workshop

Рет қаралды 5,065

OWASP Ottawa

Күн бұрын

Пікірлер: 6

@yashpharande2386 8 ай бұрын

One of the best resources online for an quick introduction to secure coding and reviews!

@nnme-pf9bj 5 жыл бұрын

at 59:17 actually the top is incorrect syntax. String commandArgs = {};. "Type mismatch: can not convert String[] to String".

@paulionescu757 5 жыл бұрын

You're right thanks :) Will correct in the presentation.

@nnme-pf9bj 5 жыл бұрын

Hi, at 58:05 what is payload used to exploit bottom.java ? I think bottom.java is not vulnerable even you can control a malicious input because Runtime.getRuntime().exec(string array) is safety.

@paulionescu757 5 жыл бұрын

Oh but you missed the fact that the input is passed to cmd or bin/sh :) So the injection actually happens in the command line. '`command`' , '; command', '| command' or for windows '& command' all work. In fact you can see the same code right here: github.com/trendmicro/SecureCodingDojo/blob/aa7ab0bc4d8944bb7d4df2ce04853749e6c46ec6/insecureinc/WebContent/cwe78admin.jsp#L27

@nnme-pf9bj 5 жыл бұрын

Hi @@paulionescu757, I do not agree with you. In github.com/trendmicro/SecureCodingDojo/blob/aa7ab0bc4d8944bb7d4df2ce04853749e6c46ec6/insecureinc/WebContent/cwe78admin.jsp#L27, It is the bug I completely agree because it pass user input to %s so the final command will be "String [] commandArgs = {"/bin/sh", "-c", "ping -c 4 xxx.xxx.xxx.xxx | "};. Notice the arguments it has 3 arguments and having a correct command injection format. But at 58:05 bottom.java the final command will be: "String [] commandArgs = {"/bin/sh", "-c", "ping", ""};" it is not a bug. commandArgs will have 4 arguments then if it is passed to exec function, will be the argument of "ping" command.