Open in app

Sign in

Write

Sign in

A1: Injection Attack

Vivek Kamisetty
3 min readOct 17, 2020

What Is Injection?

An attack which usually occur when the attacker injects some malicious code as part the query or command into the input fields of the website, where the attack can led to the data theft, data loss or accessing the data without authorisation.

How Is The Application Vulnerable?

The application can be vulnerable to attack when:

▪️ User-supplied data is not validated, sanitised or filtered by the application.

▪️ Dynamic queries or non-parameterized calls without context-aware escaping are used directly in the interpreter.

▪️ Hostile data is used within object-relational mapping (ORM) search parameters to extract additional, sensitive records.

How To Prevent:

▪️ Use parameterised queries where, variables passed as arguments to prepared statements will automatically be escaped or the preferred option is to use a safe API.

▪️ For any residual dynamic queries, escape special characters using the specific escape syntax for that interpreter.

▪️ Use LIMIT and other SQL controls within queries to prevent mass disclosure of records in case of SQL injection.

Types Of Injections:

SQL:

A sql injection attack can be done by injection of sql query via the input fields from the client to application. Web applications typically user input through a form and the front-end passes the user input to the back-end for processing. A successful SQL injection can lead to read sensitive data from the database, modify database, authentication bypass, information disclosure. This can even compromise the entire system.

A simple example of sql attack:

Consider an application which allows users to login with username and password, let say the query constructed as:

SELECT * FROM users WHERE username = 'peter' AND password = 'qwerty'

Here, an attacker can log in as any user without a password simply by using the SQL comment sequence -- to remove the password check from the WHERE clause of the query. For example, submitting the username admin'-- and a blank password results in the following query:

SELECT * FROM users WHERE username = 'admin'--' AND password = ''

This query returns the user whose username is admin and successfully logs the attacker in as that user.

OS Command Injection:

An operation system command injection attack occurs when an attacker try to execute operating system command with the privileges of the user running the web application. Attacker who gains access to these systems can change, manipulate, or read data; injects command that steel data or attack infrastructure. Command injections are highly dependent on privileges.

A simple example on OS command injection:

Consider the following code wrapper around the unix command “cat”:

#include <stdio.h>
#include <unistd.h>

int main(int argc, char **argv) {
char cat[] = “cat “;
char *command;
size_t commandLength;

commandLength = strlen(cat) + strlen(argv[1])+ 1;
command = (char *) malloc(commandLength);
strncpy(command, cat, commandLength);
strncat(command, argv[1], (commandLength -
strlen(cat)) );

system(command);
return (0);
}

Used normally we get,

However, if we add a semicolon and another command to the end of this line, the command is executed by catwrapper with no errors.

Cybersecurity
Owasp Top 10
Web Security

--

--

Vivek Kamisetty

Written by Vivek Kamisetty

39 Followers

aka Mr_UnKnOwN | CTF player | Reverse Engineer | @teambi0s

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams