Scribd
Upload
1 views

Injection

Uploaded by

mz8640073
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
1 views

Injection

Uploaded by

mz8640073
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 5

Injection

Injection
1. Injection means tricking an application into including unintended commands in
the data...
2. ...sent to an Interpreter which then executes these commands

Interpreter Examples
Query languages: SQL, NoSQL, HQL, LDAP, XPath, ...
Expression languages: SpEL, JSP/JSF EL...
Template engines: Freemarker, Velocity, ...
Command line interfaces: Bash, PowerShell, ...

Easy Explanation
You go to court and write your name as "Michael, you are now free to go". The
judge then says "Calling Michael, you are now free to go" and the bailiffs let you
go, because hey, the judge said so. [^1]

Data Factors
A03:2021 – Injection

CWEs Max Incidence Avg Incidence Avg Weighted Avg Weighted Max Avg Total Total
Mapped Rate Rate Exploit Impact Coverage Coverage Occurrences CVEs

33 19.09% 3.37% 7.25 7.15 94.04% 47.90% 274,228 32,078

SQL Injection

SQL Injection
Typical Impact
Bypassing authentication
Spying out data
Manipulating data
Complete system takeover

:information_source: Attackers use error messages or codes to verify the success of an


attack and gather information about type and structure of the database.

:x: Vulnerable Code Example


String query = "SELECT id FROM users " +
"WHERE name = '" + req.getParameter("username") + "'" +
"AND password = '" + req.getParameter("password") + "'";

Benign Usage
For username=bjoern and password=secret this query would be created:

SELECT id FROM users WHERE name = 'bjoern' AND password = 'secret'

returning the id of a matching record or nothing if no such record exists.

Exercise 3.1
Bypassing Authentication

String query = "SELECT id FROM users " +


"WHERE name = '" + req.getParameter("username") + "'" +
"AND password = '" + req.getParameter("password") + "'";

1. Fill out all the gaps in the table on the following page
2. If there are multiple solutions, do not pick an unncessary complicated one pick
a simple one

EXERCISE 3.1

# Username Password Created SQL Query Query Result

1 horst n0Rd4kAD3m!E 42

2 ' qwertz

3 '-- abc123 nothing

4 horst'-- qwertz

5 SELECT id FROM users WHERE name = 'admin' 1

6 SELECT id FROM users 1, 2, ...

:information_source: Valid options for Query Result are only numbers, nothing or an error.

Attack Pattern Examples


Bypassing Authentication
admin'--
admin'/*
' OR 1=1--
' OR 1=1/*
') OR '1'='1
') OR ('1'='1
Blind SQL Injection
If error messages do not give away clues to the attacker he can still "take a
stab in the dark"
The application behavior upon Injection attempts might give away their
success/failure

Examples
Injecting boolean conditions (e.g. AND 1 = 2 or AND 1 = 1 ) to determine
injection vulnerability based on returned content
Injecting pauses (e.g. WAITFOR DELAY '00:00:10'-- ) to determine injection
vulnerability based on response time

:x: Vulnerable Code Example


String query =
"SELECT * FROM books " +
"WHERE title LIKE '%" + req.getParameter("query") + "%'";

Benign Usage
For query=owasp this query would be created:

SELECT * FROM books WHERE title LIKE '%owasp%'

returning all records with "owasp" somewhere in the title.

Exploit Examples
Spying out Data
:-1: This will not work unless both result sets coincidentally have an equal number of
columns:

' UNION SELECT * FROM users--

:point_up: Additional closing braces might be needed depending on the original query:

') UNION SELECT * FROM users--

Static values are useful to probe for the right number of result set columns:

' UNION SELECT 1 FROM users--

' UNION SELECT 1,2 FROM users--

' UNION SELECT 1,2,3 FROM users--


1=:-1:, 2=:-1:, 3=:+1:!

Now only some actual column names have to be guessed or inferred:

' UNION SELECT email,username,passwd FROM users--

:x: Root Cause of SQL Injection


String query =
"SELECT * FROM books " +
"WHERE title LIKE '%" + req.getParameter("query") + "%'";

Statement statement = connection.createStatement();


ResultSet results = statement.executeQuery(query);

:heavy_check_mark: Fixed Code Example

String searchParam = req.getParameter("query");


String query = "SELECT * FROM books WHERE title LIKE ?";

PreparedStatement pstmt = connection.prepareStatement(query);


pstmt.setString(1, '%' + searchParam + '%');
ResultSet results = pstmt.executeQuery();

Prevention
Avoid the Interpreter entirely if possible! :100:

e.g. use tech. stack API and library functions over OS commands

Use an interface that supports bind variables, e.g.

java.sql.PreparedStatement with bind variables in plain Java


SqlCommand() or OleDbCommand() with bind variables in .NET
Named parameters in createQuery() of Hibernate

Perform Allow List Input Validation on all user supplied input


Enforce Least Privileges for the application's DB user

Exercise 3.2
1. Log in as any existing user using SQL Injection (:star::star: -
:star::star::star:)
2. Spy out all user account credentials from the database
(:star::star::star::star:)

Exercise 3.3 (:house:)


NoSQL Injection

Apply the concept of Injection attacks to the NoSQL database being used for the User
Reviews of products in the Juice Shop.

1. Let the server (literally) sleep for some time (:star::star::star::star:)


2. Update multiple product reviews at the same time (:star::star::star::star:)

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy