As long as code and data cannot be distinguished by machines, Injection attacks will prevail. Injection flaws are very prevalent, particularly in legacy code. Injection flaws occur when an application sends untrusted data to an interpreter. This talk will focus on different injection flaws, challenges associated with it and possible ways to mitigate it.
What are Injection Flaws??
Injection flaws are a class of security vulnerability
that allows a user to “break out” of the web
Weakness in an application whereby foreign input
subverts the otherwise legitimate use of a
Injection flaws allow attackers to relay malicious
code through an application to another system
Is Your Web App Vulnerable to
User Supplied data is not validated , filtered
or sanitized by Application.
Hostile data is supplied directly to dynamic
queries or non parameterized calls for the
interpreter without context-aware escaping.
Hostile data is used with ORM search
parameters such that search evaluates out
to include sensitive or all records.
Different types of Injection
flaws Different subsystems == Different flaws
SQL Injection: Database Query
Dynamic script to look into database
“Direct” access to database
Possible to issue CRUD statements and many
Web application performs operating system
Execute external programs/script
List files etc.
ping –c <user_input>
Protection using Command Execution API
os.system(ping –c 127.0.0.1)
Possible to include HTML Tags like iframe , fake forms,
XSS also possible….
Can be used in phishing attacks
Web App talks to backend web services
Web app’s logic converts parameter’s to XML web
services (as SOAP,…)
Lightweight Directory Access protocol
It is used to access information directories like
users, user information, software, computers.
Insert Special characters like(*,|,&,…) leading
to exposure of user’s confidential data
This threat affects all applications that
communicate with mail servers (IMAP/SMTP),
generally webmail applications.
We need to verify the capacity to inject arbitrary
IMAP/SMTP commands into the mail servers,
due to input data not being properly sanitized.
State of Web framework
Anti CSRF tokens – can easily turned
Templates escapes user input – just HTML
Uses ORM – SQLi still possible
We need to use secure APIs or write secure
Can WAF solve the problem?
Web Application Firewalls are for Attack
Detection and Prevention
Most of WAFs use blacklists. No
Protect Exploitation : RASP
Runtime Application Self Protection
• Detect both Attacks and Vulnerability
• No Hardware Requirements
• Inject Security at Runtime
• Applies defense inside the application
• Zero code Modification and Easy
• No use of Blacklists
RASP by API Instrumentation
and Dynamic White-list
Lexical Analysis and Token Generation
Ideal RASP should have minimum
Need to do adapt more secure techniques
in combination with RASP.
Minimal configuration and Easy
Implementing Preventing measures to
avoid session Hijacking, Credentials etc.