menu

Sunday, March 20, 2022

Web security: Understanding different type of injection attacks

Introduction:

In this article, I will try to explain different type of injection attacks that can be used to exploit a web application. Injection is one of the most dangerous attacks that targets web applications. The current OWASP Top 10 list still lists the injection in top three web application security risks. All injection attacks are based on using user supplied untrusted data in an interpreter as part of a command or query.

Let’s summarise the 5 widely used injection attacks in web applications: SQL , NoSQL, LDAP, LOG and CSV Injections.

SQL Injection:

SQL injection occurs when user supplied untrusted data send to a database engine as part of a command or query.

As a result of SQL injection attacker can bypass authentication, disclosure data on database, cause alter or delete data which will break data integrity, run system commands on database server.

An example SQL Injection attack using an always true condition;

Let’s say an application uses below sql query as a string variable;

sql = select username, password from users where username=’%s’;

For above query if an attacker provides a username as xxx’ or ‘1’=’1;

The resulting query will be as below;

select username, password from users where username=’xxx’ or ‘1’=’1’

Here, or ‘1’=’1 part is an always true condition, and it will result a true where condition which will return all username/password pairs from the database.

To defend against SQL injection at least the following protections should be used;

  • Using a strong validation and sanitisation mechanism
  • Using parametrised queries with prepared statements

NoSQL Injection:

In NoSQL injection attacker inject the code into commands to execute in the NoSQL engine.

NoSQL query syntax is specific to the NoSQL engine. Usually, the queries are written in the programming language of the application like JavaScript or Java. For example in MongoDB, Injecting JavaScript code using $where query operator is possible.

To defend against NoSQL injection at least the following protections should be used;

  • Using a strong validation and sanitisation mechanism
  • Using parametrised queries
  • Using built-in features of the NoSQL engine to create secure queries

LDAP Injection:

In LDAP injection attacker inject the code into commands to execute in the LDAP engine.

LDAP require queries with some special characters to be used in construction of predicates. If an attacker can send an input directly as a control character the query can be changed to do unwanted operations.

To defend against LDAP injection at least the following protections should be used;

  • Using a strong validation and sanitisation mechanism
  • Using parametrised queries
  • Using built-in features and trusted libraries to create LDAP queries

LOG Injection:

In LOG injection the attacker inject code into logs which can lead to different vulnerabilities by polluting or compromising the system logs.

Through LOG injection an attacker can perform;

  • Log forging by using CRLF(\n\r) characters
  • XSS attacks
  • Code execution

To defend against LOG injection at least the following protections should be used;

  • Using a strong validation and sanitisation mechanism
  • At least filtering out or replacing CRLF characters before printing in log
  • Limiting the size of the log messages
  • Using available protections in the log framework and from trusted libraries
  • Preventing to save or view the Javascript content through logs

CSV Injection:

CSV Injection, also known as Formula Injection, occurs when websites embed untrusted input inside CSV files.

CSV injection can be used to steal data from CSV or Excel files and running formulas to run commands on the user’s machine that is viewing the document.

To defend against CSV injection at least the following protections should be used;

  • Using a strong validation and sanitisation mechanism
  • Never directly input user provided data into files that includes formula definition
  • Wrap each cell field in double quotes
  • Prepend each cell field with a single quote
  • Escape every double quote using an additional double quote

Conclusion:

An insecure software can easily cause serious consequences for businesses and individuals. Those consequences can include financial abuse, theft and loss of reputation. Vulnerable software will be especially cause huge damages on important industries such as finance and healthcare. Someone can try to hack your application on purpose, or a user can compromise it unintentionally. Therefore it is always needed to program defensively to prevent compromising your application in either case.

To secure web application and prevent injection vulnerability;

  • Separate user provided data from the executable content
  • Validate and escape user provided data before using it
  • Run the web application with the least privilege that is needed
  • Always follow defense-in-depth methodology to prevent the attacks in multiple layers.

If you want to see hands-on examples with these injection attacks and want to hack the vulnerable applications you have developed, you can check out my new course: Web security: Injection Attacks with Java & Spring Boot

In this course you will learn web security and perform different type of injection attacks using the following steps in each section.

  • Development of the vulnerable web application using Java, Spring boot and Spring security
  • Hacking of the application with various attack payloads and with Ethical hacking examples
  • Protection steps and the implementations to prevent injection attacks