3. Different from XSS XSS - Entry point is from web to web CIA - Entry point is from backend login console to web interface
4. CIA Characteristics Exploits the default nature of FTP /Telnet Protocol Admin interfaces : { Web, FTP, Telnet} Logging module running as root DOM and HTML rendered as dynamic content Attacks are persistent in nature Hardware devices – firewalls, disk stations, management systems etc.
5. Truth About FTP The default design of FTP allows the acceptance of both username and password prior to the authentication process and complete verification. No check on no of login attempts. No check on type of characters.
6. Old Buffer Trick root@redux$ ftp example.com Connected to example.com. 220 Disk Station FTP server at DiskStation ready. User (example.com:(none)): AAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAA 331 Password required for AAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAA. Password: 530 Login incorrect. Login failed.
8. Design of the Application FTP LOGIN INTERFACE Inject Payload I
9. Design of the Application FTP Authentication Module FTP LOGIN INTERFACE Inject Payload I
10. Design of the Application FTP Authentication Module FTP LOGIN INTERFACE FTP Logging Module Inject Payload I
11. Design of the Application FTP Authentication Module FTP Logging module run as root or administrator FTP LOGIN INTERFACE FTP Logging Module Inject Payload I
12. Design of the Application FTP Authentication Module FTP Logging module run as root or administrator FTP LOGIN INTERFACE FTP Logging Module Inject Payload Web Interface I
13. Design of the Application FTP Authentication Module FTP Logging module run as root or administrator FTP LOGIN INTERFACE FTP Logging Module Unencoded/Unfiltered HTML rendering Inject Payload Web Interface I
23. DEFENSE A whitelist approach should be followed at the protocol level to reduce the impact of exploitation. The error reporting mechanism should be used in conjunction with the FTP authentication module to restrict the acceptance of malicious input through login consoles. The logging process should not run as administrator or root user. The logs should be rendered in a customized format which does not allow DOM and HTML elements to get rendered as dynamic content. The content should be sniffed to avoid the usage of malicious input thereby defining the Content-Type appropriately.