Injection is a broad class of attacks in which an attacker can inject untrusted and malicious inputs to data input fields where web application allowed to insert custom content for usual functionality of web applications such as Name, Email, Cell phone fields of an online form or Username & Password fields to login web application.
If a malicious attacker successfully injected arbitrary code/input using data inputs fields of application then it gets processed within context or environment of web application and results in several security issues such as denial of service, data theft, and loss of data integrity. Injection can take multiple forms, it can be through SQL, LDAP, Operating System commands (command injection), or any intermediary that passes commands to another system.
One of the most common vulnerabilities in web applications today is known as SQL injection, which is when information entered by a user from a website is able to bypass all security controls and directly access the database. This is a serious vulnerability.
Let’s take an example of SQL injection scenario
Here we have a sign-up form in the web application that accepts a drop down. When the user selects a country, the city information is automatically updated in the drop-down box. You’ve probably seen something like this before.
What happen, if an attacker was to modify the country to an unexpected value? It’s possible that a developer never thought this was something that required validation checks.
Here you can see a possible SQL query that is used to get the dropdown box of cities for the page.
SELECT * FROM COUNTRY WHERE NAME=’INDIA’
In the normal everyday use case, the POST data is what the webpage would send, and the SQL is what the database would receive as a query.
The result of this query would just be a list of cities in India.
In SQL injection, the query sent to the database is being altered by an hacker. If we look at a more dangerous case of this, a hacker could tack on a malicious UNION SQL statement after the word India.
SELECT * FROM COUNTRY WHERE NAME=’INDIA’ UNIONSELECT*FROMUSERS_TABLE–‘
name=Name&addr=Address&country=India ‘ UNIONSELECT*FROMUSER_TABLE—
Depending on the SQL query used, arbitrary data can be retrieved from the database. Notice that the drop-down box not only shows cities, but also usernames from the user table because of our SQL injection attack. In the worst case we could update or alter data.
There are situations where being helpful to users can also be helpful to hackers. Error messages can often describe in detail what went wrong in the back end. Unfortunately, if this information were provided to a hacker, it can make SQL injection easier.
For instance, an error message such as the one seen here says there is a problem with the hacker’s UNION statement. This gives information to hackers allowing them to revise their SQL injection until they get the perfect result. Error messages such as these, although helpful to a user, should be avoided.
One thing to note is that although error messages can be much more helpful to an attacker, the presence of error messages without detail does not mean that the attack is prevented. The error message seen here could still mean that the attack was successful, but that the message never returned to the web tier.
In fact, in an attack known as blind SQL injection, an attacker can perform a successful injection without the help of error messages, sometimes even by observing page behavior.
Other forms of injection
While SQL injection is one of the most common form of injection attacks, there are also other forms such as injection through file upload, code injection, OS command injection, Lightweight Directory Access Protocol (LDAP), and XPath injections.
Code injection is when an attacker injects application code that can execute when an application runs. This can lead to a full system compromise.
Attackers can also inject operating system commands when users are running an application to cause an OS command injection attack.
To execute arbitrary LDAP commands, attackers can inject LDAP statements and modify the content of LDAP trees.
And finally, attackers can use XPath injection to craft XPath queries and inject them into an application. This allows for a number of exploits, such as bypassing authentication and access data.
Unrestricted file upload
Injection through file upload tools that you provide to users on web pages can be dangerous. These tools can result in ma malware, denial of service attacks, and more.
Take profile photo upload features for example. These are frequently available on many web sites and don’t appear vulnerable to attack. But if a developer doesn’t make sure these features restrict dangerous file types, then anyone can upload them. In this case, it becomes the server’s responsibility to ensure that the file a user uploaded was actually a photo.