Contributor(s): Jeremy Ferragamo, Wichers, Eofedal, kingthorin, Charlie Worrell Show
DescriptionAn injection flaw is a vulnerability which allows an attacker to relay malicious code through an application to another system. This can include compromising both backend systems as well as other clients connected to the vulnerable application. The effects of these attacks include:
Many web applications depend on operating system features, external programs, and processing of data queries submitted by users. When a web application passes information from an HTTP request as part of an external request, set up a way to scrub and validate the message. Otherwise an attacker can inject special (meta) characters, malicious commands/code, or command modifiers into the message. While these attacks are not difficult to attempt, there are an increasing number of tools that scan for these flaws. An attacker can use these techniques to obtain, corrupt, or destroy the contents of your database, compromise backend systems, or attack other users. Successful injection attacks may completely compromise or destroy a system. It is important to test for and protect against these types of attacks. Examples
How to Determine If You Are VulnerableThe best way to determine if your applications are vulnerable to injection attacks is to search the source code for all calls to external resources (e.g., system, exec, fork, Runtime.exec, SQL queries, XML and JSON parsers, or whatever the syntax is for making requests to interpreters in your environment). Additionally, validate that all user provided input is sanitized and user provided data that is output is properly encoded where applicable. OWASP Web Security Testing Guide contains details on how to test for common injection attacks. See the References section below for additional information. How to Protect Yourself
Input validation is performed to ensure only properly formed data is entering the workflow in an information system, preventing malformed data from persisting in the database and triggering malfunction of various downstream components. Input validation should happen as early as possible in the data flow, preferably as soon as the data is received from the external party. Data from all potentially untrusted sources should be subject to input validation, including not only Internet-facing web clients but also backend feeds over extranets, from suppliers, partners, vendors or regulators, each of which may be compromised on their own and start sending malformed data. Input Validation should not be used as the primary method of preventing XSS, SQL Injection, and other attacks which are covered in respective cheat sheets but can significantly contribute to reducing their impact if implemented properly.2
Another strong protection against injection attacks is to ensure that the web application runs with only the privileges it absolutely needs to perform its function. So you should not run the webserver as root or access a database as DBADMIN, otherwise an attacker can abuse these administrative privileges granted to the web application. Some of the J2EE environments allow the use of the Java sandbox, which can prevent the execution of system commands.
If an external command must be used, any user information that is being inserted into the command should be rigorously checked. Mechanisms should be put in place to handle any possible errors, timeouts, or blockages during the call. All output, return codes and error codes from the call should be checked to ensure that the expected processing actually occurred. At a minimum, this will allow you to determine that something has gone wrong. Otherwise, the attack may occur and never be detected.
Different injection attack types require different mitigation strategies (e.g. XSS vs. Server-side template injection). Review what technologies your application uses and available information on steps to take on preventing attack classes that abuse those technologies.
Another way to protect against injection is to avoid accessing external interpreters wherever possible. For many shell commands and some system calls, there are language specific libraries that perform the same functions. Using such libraries does not involve the operating system shell interpreter, and therefore avoids a large number of problems with shell commands. References
Which of the following terms describes an attempt to read a variable that stores a null value?Which of the following terms describes an attempt to read a variable that stores a null value? A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit.
Which of the terms listed below describes a programming error where an application tries to store a numeric value in a variable that is too small to H?Memory leak. Which of the terms listed below describes a programming error where an application tries to store a numeric value in a variable that is too small to hold it? Integer overflow.
Which type of attack allows for tricking a user into sending unauthorized commands to a Web application?CSRF occurs when a user is tricked by an attacker into activating a request in order to perform some unauthorized action.
Which of the following is a common form of social engineering attack?Phishing: The Most Common Form of Social Engineering
Phishing is a form of email scam where someone sends an email claiming to be from a trustworthy business or person.
|