Monday, January 11, 2016

What is a Code Injection Attack ?

A Code Injection Attack is an attack in which the attacker exploits security vulnerabilities in the web application and introduces or injects code to change the course of execution.

A web application becomes vulnerable to Code Injection Attacks mainly when user data is sent to the interpreter without proper validation.

There are mainly a few common types of Code Injection Attacks :

  • SQL Injection Attacks
  • HTML Script Injection Attacks
  • Dynamic Code Evaluation Attacks
  • File Inclusion Attacks
  • Shell Injection or Command Injection Attacks

This type of attacks are mainly found in SQL, LDAP, XPATH, NoSQL, OS commands, XML Parsers, SMTP Headers etc. Let's look into some examples to understand these attacks better.

SQL Injection Attacks

 In this type of Code Injection Attacks, attackers exploit the security vulnerabilities in the application software and tricks the server to execute malicious SQL queries, thus deleting or changing the database or stealing sensitive data to perform even more attacks.

Example : Suppose, username and corresponding sensitive data are stored in a database. A registered user, provides username and corresponding data is displayed in his webpage. For that, the server takes the username and executes the following SQL query in the database :

SELECT * FROM users WHERE name = ' ” + userName + “ ' ; “

where userName is the username is taken as input from the user, may be through a form.

At this point, the attacker can input,

' OR '1'='1

And, if proper care is not taken while writing the code, the server will execute the following query :

SELECT * FROM users WHERE name = ' ' OR '1'='1';

As a result, sensitive data of all the users will be revealed to him.

Please look into SQL Injection Attacks to know more on this attack.

Preventive Measures :

There are couple of precautions we can take to mitigate this attack.

- User input should not be embedded in the query directly. Instead, parameterized statements that work with parameters should be used.
- Type constraints of variables should be properly checked before executing the query.
- For parameterized statements, parameters should be escaped properly. For example, in PHP mysqli_real_escape_string() can be used to escape parameters.
- Certain characters can even be forbidden to be used in the query.
- Database permissions should be limited appropriately. Some tables can be restricted to be fetched without appropriate permissions.
- Bin2hex() and unhex() can be used to convert the parameters to/from hex values. The advantage of this is, the output of unhex() function is returned as a string and not interpreted.

HTML Script Injection Attacks

 HTML Injection Attack is an attack through which an attacker takes advantage of security vulnerability of a web application and injects his own HTML contents into the webpage, thus tricking the user to provide sensitive information.

Example : Let's assume, a web application has security vulnerability and it has implemented the following piece of PHP code :

$name = $_REQUEST ['name'];

Welcome <?php echo $name ?>!!

Clearly, this code has vulnerability via the name parameter.

Suppose, an attacker comes to know about the vulnerability and he wants to steal an authenticated user's username and password.

So, he uses soe form of social engineering and sends a victim the following link :

/vulnerable.php?name=<h1>Please enter your username and password</h1><form method=”POST” action=””>Username:<input type=”text” name=”username” /> <br><Password:<input type=”password” name=”password” /><input type=”submit” value=”Login” /></form><!--

The attacker may also convert the ASCII characters to hexadecimal so that the link is not human readable.

The attacker may send this link to the victim through an email attachment saying some new features in the website.

The victim clicks on the link and it asks for username and password.

When the victim provides his username and password, the data directly goes to the attacker.

The attacker can now impersonate the victim and login to the victim's account with his login information.

Preventive Measures :

Yes, we can take a couple of steps to prevent this attack.
  • Never insert untrusted data excepting some allowable locations.
  • Use HTML Escape before inserting untrusted data into HTML element content
  • Use Attribute escape before inserting untrusted data into HTML common attributes
  • Use JavaScript escape before inserting untrusted data into JavaScript data values.
  • HTML escape JSON values in an HTML context and read the data with JSON.parse
  • Use CSS escape and strictly validate data before inserting the untrusted data into HTML style property values
  • Use URL escape before inserting untrusted data into HTML URL parameter values
  • Sanitize HTML markup with a proper library
  • Use HTTPOnly cookie flag
  • Implement content security policy.

Dynamic Code Evaluation Attacks

A Dynamic Code Evaluation attack is an attack, in which all or part of the input string of eval() function in PHP gets maliciously controlled by the attacker.

Example : For example, let's consider this piece of code :

$name = 'Adam';
$string = $_GET['arg'];
eval("\$name = \"$string\";");

Here, $string is an input taken from a user and then, the value is assigned to $name.

But, suppose an attacker gives as input 'noname ; system(“ls”)'.

Then, $string will be assigned 'noname; system(“ls”)' and inside the eval() function 'ls' will get called, revealing the list of files in the directory. The attacker may even update, delete or see sensitive files in the server using this vulnerability. And, this is how a Dynamic Code Evaluation attack is perpetrated.

Preventive Measures : We can avoid the usage of eval() as far as possible. The usage of eval() is actually normally discouraged. Try to implement the functionality with some other function.

But, if you think, you must use eval(), then make sure user provided inputs are not directly used as input of eval() function. Instead, we should process the input string and discard suspicious characters carefully and then use it.

File Inclusion Attacks

In File Inclusion Attack, an attacker tricks a web server to execute certain scripts and include a sensitive file from the server or malicious file remotely to the server with the purpose of performing even more attacks.

Example :

Let's consider this piece of code :

if ( isset( $GET['EYES'] ) ) {
include( $_GET['EYES'] . '.php' );

<form method="get">
        <select name="EYES">
                <option value="black">Black</option>
                <option value="blue">Blue</option>
         <input type="submit">

Here, if the attacker executes /eyes.php?EYES=/etc/passwd that will allow the attacker to read the content of file /etc/passwd from the web server. This may lead to theft of sensitive data or even more attacks later. This is a typical example of Local File Inclusion Attack.

Or the attacker may execute /eyes.php?EYES= And that will inject a malicious file in the web server, resulting in Remote File Injection Attack.

Preventive Measures :

We can follow some coding practices which will reduce this vulnerabilities to a large extent.
  • When a passed-in path is included, make sure it does not contain unintended character patterns.
  • Instead of dynamically generating the path from the URL or form parameter, you can use a predefined switch/case statement to determine which file should be included.

Shell Injection Attacks

A Shell Injection or Command Injection Attack is an attack in which an attacker takes advantage of vulnerability of a web application and executes arbitrary command in the server for malicious activities.

Example :

Let's understand this with an example.

Suppose, a web application takes name of a file as input from a user and displays it contents. And, the web application has implemented that with the following piece of PHP code :

print(Please specify the name of the file ) ;
$file = $_GET['filename'] ;
system(“cat $file”) ;

So, if a user gives an input 'profile.txt', corresponding file will be displayed.

But, suppose an attacker gives an input 'profile.txt ; ls ;'. It will list all files in the directory where profile.txt is kept.

Or even worse, the attacker can give input 'profile.txt; rm -rf /;” and this will delete all files in the root directory.

Preventive Measures :

We can take a couple of steps to prevent this attack.
  • Carefully sanitize all user input data in the web application.
  • Strip certain characters like ';', '&', '|' etc from user input data.
  • Limit the length of user input data.
  • Check the validity of user input data type.
  • It is always advisable to include filtering functions before executing the command. In PHP, escapeshellarg, escapeshellcmd may solve the purpose.

For more information, please look into Shell Injection or Command Injection Attacks.

So, beware of various vulnerabilities of web applications, so that you can protect your web server in a better way. And, stay safe, stay secured.

No comments:

Post a Comment