- Forward


Injection Vulnerabilities
An Introduction


Prof. David Bernstein
James Madison University

Computer Science Department
bernstdh@jmu.edu

Print

Overview
Back SMYC Forward
  • The Nature of the Vulnerability:
    • User input is treated as executable code/instructions/commands
  • The Nature of Attacks:
    • The attacker provides malicious input
SQL Injection
Back SMYC Forward
  • The Vulnerability:
    • Combining query language fragments with untrusted data (e.g., using dynamic string building)
  • An Example:
    • "SELECT Name FROM Student WHERE Year = '" + data + "'"
  • Example Availability Attack:
    • The attacker enters "'; DROP TABLE Assistants; --'" (where -- starts a comment)
  • Example Integrity Attack:
    • The attacker enters "'; UDPATE TABLE Assistants SET Performance='Poor' WHERE Name='Jones'; --'"
  • Example Confidentiality Attack:
    • The attacker enters "'; SELECT * FROM Table Grades; --'"
SQL Injection (cont.)
Back SMYC Forward
Nerd Humor - Exploits of a Mom
/imgs
(Courtesy of xkcd)
SQL Injection (cont.)
Back SMYC Forward
  • A Common Approach to Authentication:
    • "SELECT * FROM Users WHERE Username='" + $username + "' AND Password='" + $password + "'"
  • An Attack that Bypasses the Password:
    • Enter your username as ' OR 1=1 --
SQL Injection (cont.)
Back SMYC Forward
  • One Way Attackers Find Vulnerabilities:
    1. Provide input that will result in a syntax error (e.g., a single quote or semicolon) which often results in an error message that contains the query
    2. Provide input that provides information about all of the tables (e.g., using SELECT Table_Name FROM INFORMATION_SCHEMA.Tables or SELECT TABLE_NAME FROM USER_TABLES)
  • Mitigation:
    • Disable/change error messages
SQL Injection (cont.)
Back SMYC Forward
  • Another Way Attackers Find Vulnerabilities (Blind Injection):
    1. Provide input that will always evaluate to true (e.g., '' OR '1' = '1')
    2. Provide input that will always evaluate to false (e.g., '' OR '1' = '2')
    3. Identify the format of answers to yes/no questions.
    4. Provide input that is equivalent to a series of yes/no questions (e.g., does the database contain a table with a name that starts with the letter 'A')
  • Mitigation:
    • Limit the number of queries and increase the amount of time between queries from a single source
SQL Injection (cont.)
Back SMYC Forward
  • Mitigation:
    • Validate data (Note: Allow-lists are preferred to deny-lists)
    • Encode/escape strings (e.g., using mysql_real_escape_string() in PHP)
    • Use parameterized queries rather than dynamic strings
      database.queryText = SELECT Name FROM Student WHERE Year = ?; database.addParamater(inputYear); database.executeQuery();
  • Notes:
    • Input validation (e.g., using regular expressions) can be very time-consuming and lead to denial of service attacks (though there are tools for testing regular expressions, like SDL Regex Fuzzer)
SQL Injection - Other Things to Pay Attention To
Back SMYC Forward
  • Numeric Fields:
    • Escaping the single-quote and double-quote characters might not be enough when the database contains numeric fields
  • Character Insertions:
    • Characters can often be inserted in many ways, not just as literals (e.g., using the char() function)
Injection into Other Interpreters
Back SMYC Forward
  • LDAP:
    • The Lightweight Directory Access Protocol (LDAP) is used to query and manipulate directory services
    • A query is formatted as name=value[,...] and, in WWW apps, is often built dynamically (e.g., ldapSearchQuery = "(cn=" + $eID + ")";) from user input (e.g., leading to injections like "*" or "bernstdh)(|(password=*))")
  • sendmail:
    • Used to send email messages (usually from your own server)
    • Can be invoked in PHP using the function:
      bool mail ($to , $subject , $message [, $headers [, $parameters ]])
      and is often done so based on user input
  • Others:
    • Hibernate Query Language (HQL)
    • XPATH
    • XQuery
    • XSLT
    • XML
Command/Instruction Injection
Back SMYC Forward
  • Vulnerabilities in Different Languages:
    • C Posix: execlp(), execvp(), popen(), system()
    • C MS-Windows: ShellExecute(), _wsystem()
    • Java: Class.forName(), Class.newInstance(), Runtime.exec()
    • JavaScript: eval()
    • Perl: `, |, eval, Exec, System
    • PHP: eval()
    • Python: eval, exec, execfile, os.open, os.system
    • Ruby: Kernal.eval(), Kernel.exec(), Kernel.fork()
  • Mitigation:
    • Validate/sanitize data (Note: Allow-lists are preferred to deny-lists)
    • Write wrapper functions/methods
    • Some languages (e.g., Perl, Ruby) include a taint mode that provides checks
JSON Injection
Back SMYC Forward
  • What is JSON (JavaScript Object Notation):
    • A data interchange format that is human readable/writeable and valid JavaScript (and easy to parse in other languages)
  • An Example:
    • { "personalName": "David", "lastName": "Bernstein", "age": 40 "children": [] }
  • The Vulnerability:
    • JSON data is often parsed using the eval() function and then used to populate a document
  • The Attack:
    • Include an immediately-invoked function in the JSON representation
  • Mitigation:
    • Include the JSON representation in a document with an appropriate Content-Type (e.g., application/json)
    • Sanitize the JSON (e.g., using the OWASP JSON Sanitizer)
    • Use a JSON parser rather than eval()
Multi-Level Injection
Back SMYC Forward
  • The Vulnerability:
    • One context that is vulnerable to an injection attack has the ability to execute code in another context
  • An Example:
    • The Microsoft SQL Server can be configured to run a stored procedure named xp_cmdshell which executes commands in the command shell
  • Mitigation:
    • These kinds of vulnerabilities can be difficult to mitigate entirely (e.g., a stored procedure that can be disabled/removed can often be enabled/restored by an attacker with appropriate privileges)
    • Hence, mitigation often involves multiple steps (e.g., disable the stored procedure, remove the stored procedure, and run with appropriate priveleges)
Cross-Site Scripting (XSS)
Back SMYC Forward
  • The Nature of the Vulnerability:
    • A "dynamic" (HTML) document that has user-supplied data written into it
  • The Nature of Attacks:
    • The attacker "tricks" the user into supplying data to a server in various different ways
There's Always More to Learn
Back -