Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Injection flaws


Published on

As long as code and data cannot be distinguished by machines, Injection attacks will prevail. Injection flaws are very prevalent, particularly in legacy code. Injection flaws occur when an application sends untrusted data to an interpreter. This talk will focus on different injection flaws, challenges associated with it and possible ways to mitigate it.

  • Login to see the comments

Injection flaws

  1. 1. INJECTION FLAWS DANISH INAMDAR Security Researcher
  2. 2. What are Injection Flaws??  Injection flaws are a class of security vulnerability that allows a user to “break out” of the web application context.  Weakness in an application whereby foreign input subverts the otherwise legitimate use of a subsystem.  Injection flaws allow attackers to relay malicious code through an application to another system
  3. 3. Is Your Web App Vulnerable to Injection?  User Supplied data is not validated , filtered or sanitized by Application.  Hostile data is supplied directly to dynamic queries or non parameterized calls for the interpreter without context-aware escaping.  Hostile data is used with ORM search parameters such that search evaluates out to include sensitive or all records.
  4. 4. Different types of Injection flaws Different subsystems == Different flaws  SQL Injection  Command Injection  HTML Injection  LDAP Injection  XML Injection  IMAP/SMTP Injection
  5. 5. SQL Injection: Database Query  Dynamic script to look into database  “Direct” access to database  Possible to issue CRUD statements and many more….
  6. 6. SQL Injection : Query database
  7. 7. Command Injection  Web application performs operating system tasks  Execute external programs/script  List files etc. ping –c <user_input> Protection using Command Execution API os.system(ping –c
  8. 8. HTML Injection  Possible to include HTML Tags like iframe , fake forms, XSS also possible….  Can be used in phishing attacks
  9. 9. XML Injection  Web App talks to backend web services  Web app’s logic converts parameter’s to XML web services (as SOAP,…)
  10. 10. XML Injection
  11. 11. LDAP Injection  Lightweight Directory Access protocol  It is used to access information directories like users, user information, software, computers.
  12. 12. LDAP Injection  Insert Special characters like(*,|,&,…) leading to exposure of user’s confidential data
  13. 13. IMAP/SMTP Injection  This threat affects all applications that communicate with mail servers (IMAP/SMTP), generally webmail applications.  We need to verify the capacity to inject arbitrary IMAP/SMTP commands into the mail servers, due to input data not being properly sanitized.
  14. 14. State of Web framework Security  Anti CSRF tokens – can easily turned off/miss-configurations  Templates escapes user input – just HTML escape ->XSS  Uses ORM – SQLi still possible  We need to use secure APIs or write secure code
  15. 15. Can WAF solve the problem?  Web Application Firewalls are for Attack Detection and Prevention  Most of WAFs use blacklists. No vulnerability detection.
  16. 16. Protect Exploitation : RASP Runtime Application Self Protection • Detect both Attacks and Vulnerability • No Hardware Requirements • Inject Security at Runtime • Applies defense inside the application • Zero code Modification and Easy Integration • No use of Blacklists
  17. 17. RASP by API Instrumentation and Dynamic White-list  Monkey Patching  Lexical Analysis and Token Generation  Context Determination
  18. 18. Challenges  Ideal RASP should have minimum performance impact.  Need to do adapt more secure techniques in combination with RASP.  Minimal configuration and Easy Deployment.  Implementing Preventing measures to avoid session Hijacking, Credentials etc.
  19. 19. Thank You