Injection Vulnerabilities

Injection Vulnerabilities
An Introduction

Prof. David Bernstein
James Madison University

Computer Science Department

bernstdh@jmu.edu

Overview

The Nature of the Vulnerability:
- User input is treated as executable code/instructions/commands
The Nature of Attacks:
- The attacker provides malicious input

SQL Injection

The Vulnerability:
- Combining query language fragments with untrusted data (e.g., using dynamic string building)
An Example:
- "SELECT Name FROM Student WHERE Year = '" + data + "'"
Example Availability Attack:
- The attacker enters "'; DROP TABLE Assistants; --'" (where -- starts a comment)
Example Integrity Attack:
- The attacker enters "'; UDPATE TABLE Assistants SET Performance='Poor' WHERE Name='Jones'; --'"
Example Confidentiality Attack:
- The attacker enters "'; SELECT * FROM Table Grades; --'"

SQL Injection (cont.)

Nerd Humor - Exploits of a Mom

(Courtesy of xkcd)

SQL Injection (cont.)

A Common Approach to Authentication:
- "SELECT * FROM Users WHERE Username='" + $username + "' AND Password='" + $password + "'"
An Attack that Bypasses the Password:
- Enter your username as ' OR 1=1 --

SQL Injection (cont.)

One Way Attackers Find Vulnerabilities:
1. Provide input that will result in a syntax error (e.g., a single quote or semicolon) which often results in an error message that contains the query
2. Provide input that provides information about all of the tables (e.g., using SELECT Table_Name FROM INFORMATION_SCHEMA.Tables or SELECT TABLE_NAME FROM USER_TABLES)
Mitigation:
- Disable/change error messages

SQL Injection (cont.)

Another Way Attackers Find Vulnerabilities (Blind Injection):
1. Provide input that will always evaluate to true (e.g., '' OR '1' = '1')
2. Provide input that will always evaluate to false (e.g., '' OR '1' = '2')
3. Identify the format of answers to yes/no questions.
4. Provide input that is equivalent to a series of yes/no questions (e.g., does the database contain a table with a name that starts with the letter 'A')
Mitigation:
- Limit the number of queries and increase the amount of time between queries from a single source

SQL Injection (cont.)

Mitigation:
- Validate data (Note: Allow-lists are preferred to deny-lists)
- Encode/escape strings (e.g., using mysql_real_escape_string() in PHP)
- Use parameterized queries rather than dynamic strings
```
database.queryText = SELECT Name FROM Student WHERE Year = ?;
database.addParamater(inputYear);
database.executeQuery();
              
```
Notes:
- Input validation (e.g., using regular expressions) can be very time-consuming and lead to denial of service attacks (though there are tools for testing regular expressions, like SDL Regex Fuzzer)

SQL Injection - Other Things to Pay Attention To

Numeric Fields:
- Escaping the single-quote and double-quote characters might not be enough when the database contains numeric fields
Character Insertions:
- Characters can often be inserted in many ways, not just as literals (e.g., using the char() function)

Injection into Other Interpreters

LDAP:
- The Lightweight Directory Access Protocol (LDAP) is used to query and manipulate directory services
- A query is formatted as name=value[,...] and, in WWW apps, is often built dynamically (e.g., ldapSearchQuery = "(cn=" + $eID + ")";) from user input (e.g., leading to injections like "*" or "bernstdh)(|(password=*))")
sendmail:
- Used to send email messages (usually from your own server)
- Can be invoked in PHP using the function:
  bool mail ($to , $subject , $message [, $headers [, $parameters ]])
  and is often done so based on user input
Others:
- Hibernate Query Language (HQL)
- XPATH
- XQuery
- XSLT
- XML

Command/Instruction Injection

Vulnerabilities in Different Languages:
- C Posix: execlp(), execvp(), popen(), system()
- C MS-Windows: ShellExecute(), _wsystem()
- Java: Class.forName(), Class.newInstance(), Runtime.exec()
- JavaScript: eval()
- Perl: `, |, eval, Exec, System
- PHP: eval()
- Python: eval, exec, execfile, os.open, os.system
- Ruby: Kernal.eval(), Kernel.exec(), Kernel.fork()
Mitigation:
- Validate/sanitize data (Note: Allow-lists are preferred to deny-lists)
- Write wrapper functions/methods
- Some languages (e.g., Perl, Ruby) include a taint mode that provides checks

JSON Injection

What is JSON (JavaScript Object Notation):
- A data interchange format that is human readable/writeable and valid JavaScript (and easy to parse in other languages)

An Example:

{
  "personalName": "David",
  "lastName": "Bernstein",
  "age": 40
  "children": []
}

The Vulnerability:
- JSON data is often parsed using the eval() function and then used to populate a document
The Attack:
- Include an immediately-invoked function in the JSON representation
Mitigation:
- Include the JSON representation in a document with an appropriate Content-Type (e.g., application/json)
- Sanitize the JSON (e.g., using the OWASP JSON Sanitizer)
- Use a JSON parser rather than eval()

Multi-Level Injection

The Vulnerability:
- One context that is vulnerable to an injection attack has the ability to execute code in another context
An Example:
- The Microsoft SQL Server can be configured to run a stored procedure named xp_cmdshell which executes commands in the command shell
Mitigation:
- These kinds of vulnerabilities can be difficult to mitigate entirely (e.g., a stored procedure that can be disabled/removed can often be enabled/restored by an attacker with appropriate privileges)
- Hence, mitigation often involves multiple steps (e.g., disable the stored procedure, remove the stored procedure, and run with appropriate priveleges)

Cross-Site Scripting (XSS)

The Nature of the Vulnerability:
- A "dynamic" (HTML) document that has user-supplied data written into it
The Nature of Attacks:
- The attacker "tricks" the user into supplying data to a server in various different ways