Injection Attacks

Pentesters like to use injection attacks to be able to break through a web application and gain access to the underlying OS/system that supports that application. There are various types of injection attacks: SQL Injection, Command Injection and Cross Site Scripting (XSS). These vulnerabilities allow the attacker or pentester to supply code to the web application as input and it tricks the web server into performing an action that was not intended.

If we notice a web app is vulnerable to an injection attack how can we provide details about fixing this issue? The most important method to solve this would be input validation. Any application that allows user input should validate what the user is entering. A great method for input validation is called whitelisting. This is when the developer of the web app describes the type of input the application should expect and verifies that it matches before passing the data along. This is not easy to do as some fields are not easy to describe. Just imaging a textbox that allows users to provide feedback on a product. The developer would not know what the user might input or say, so it isn't feasible to do whitelisting due to that.

As whitelisting is not feasible to perform developers can use the blacklisting method. This method developers just try to describe what might be potentially bad input that should be blocked. For example, a developer might blacklist SQL commands or even HTML tags. Though, developers also need to think about what they blacklist. If they blacklist a single quote (') it could help stop SQL injections, but how could someone with a last name of O'Shea or O'Conner input their name into a field?

SQL Injections

SQL Injection is when you manipulate (“inject”) an SQL query from the input data on the client side to the application. SQL Injections are common with server side scripting languages like PHP and ASP. The severity of the SQL injection depends on your knowledge and skill of being able to write SQL queries. If it has been a while since you have taken ICS 129 I would suggest refreshing on SQL.

You are probably wondering what can you do with an SQL Injection:

Read sensitive data
- Passwords
- Addresses
- SSN
Modify the database
- Change a password
- Delete data
- Add user account
- Delete tables
Shutdown the database

Let us look at an Example SQL Statement:

$statement = “SELECT * FROM users WHERE name = ‘ “ + userName + ” ‘ ;”

Lets breakdown the SQL statement:

userName is a variable obtain from user input
The SQL statement will pull up information about a specific username from the users table.

If we study this SQL statement we can see how it can be injected by manipulation of userName.

If a user was to enter in their username of 'jdoe' the SQL statement would look like this:

SELECT * FROM users WHERE name = ‘ jdoe‘ ;

What if we decided to not user jdoe as our input and entered in some SQL? What if we used ' OR '1'='1 ?

The query would change to:

SELECT * FROM users WHERE name = ‘’ OR ‘1’=‘1’;

This sets the name value to an empty value and uses the OR statement to create a Boolean option. In the users table it is highly doubtful that a no one has a name set, so this part of the query would return false. The next part of the query will always return true as 1 will always equal 1. This means that the WHERE clause in the SQL statement will return TRUE and dumb the table information.

Keep in mind that there are different types of SQL Injections.

Boolean Blind: The attacker is able to exploit the SQL by crafting SQL queries that will evaluate to either true or false. The above example is a Boolean Blind attack.
Timing-Based Blind: This attack also manipulates the SQL query, but exploits the application's response time to extract information. By manipulating the application's response time the attacker is able to determine the presence of specific conditions. The SQL statements that are injected introduce a time delay. SQL has a SLEEP function, so if an attacker created an SQL statement that included SLEEP(5) and the query evaluated to true the server would delay the response by 5 seconds. Continuing with the example above the we could manipulate the SQL statement to be:

SELECT * FROM users WHERE name = 'admin' AND SLEEP(5);

This would be an example of an timing-based blind SQL injection.

Checkout OWASP SQL Injection Prevention Cheat Sheet to learn what can also be done to prevent SQL Injections.

Directory Traversal (File Inclusion)

Another web security vulnerability that we need to be aware of. This is when an attacker tries to access files and directories outside of the intended directory structure. If an web application allows the ability to specify a specific file or directory it might be prone to a directory traversal attack. For example, if we notice a URL that looks something along the lines of:

example.com/download?file=filename

We can tell that we can specifiy a file to download. We might be able to navigate outside the intended directory structure and access an /etc/passwd or /etc/shadow file. In doing our reconnaissnace we determined that the webserver is running Apache. Apache uses /var/www/html/ as the default location to serve web pages from. This means we need to go up three directories to get to / and then we can specify /etc/passwd. We could then use the following URL:

example.com/download?file=../../../etc/passwd

If this was successful we would be able to download the passwd and possibly an other information from the system! This is where input validation comes into play!

Command Injection

Command injection attacks are when an attacker is able to input commands into a web application that then gets run. This can happen if the web application lacks proper input validation or input sanitization with user input data. Command injection attacks are possible when the web application code uses an operating system command to execute and complete a task. Imaging if you had a user input box that allows to you ping a system. This would relay on the operating system ping command and would provide you with output. During our reconnaissance we noticed it was running Linux. With our knowledge of Linux we can link commands. Instead of just inputting www.leeward.hawaii.edu we input www.leeward.hawaii.edu; cat /etc/passwd

This would complete the ping command to the specified webserver and once that completed it would perform the next command, which is displaying the /etc/passwd file.

Simple image containing an input box and submit button.

Cross Site Scripting (XSS)

This is an older attack method and a lot of browsers project against this. Also, this is something that can be detected by firewalls and prevented too. XSS is when an attacker is able to inject malicious scripts into web pages. These web pages will then be viewed by others and the script will be executed each time the page is field. This attack is due to the trust that web applications place in users and user-generated content. This can be prevented by sanitizing data input (this seems to be a common theme).

There are three main types of XSS:

Stored XSS (might also see it called Persistent XSS):The script is permanently stored on the target server. When the page is loaded all users would be affected.
Reflected XSS: The malicious script is usually embedded within a URL or input field. When the link is clicked or the form is submitted the script is run by the users browser.
DOM-based XSS: The Document Object Module (DOM) is attacked by the malicious script in this type of XSS attack.

Web Application Firewalls

A Web Application Firewall (WAFs) play a major role in helping to protect web applications from attacks. Developers should not rely on a WAF and should also make sure to do input validation or any other means needed to not allow malicious data input. A WAF runs at the application layer and sits in front of a web server. When data is sent to the web server the WAF analyzes it and if it passes the scrutinization the data will then be sent to the web server for processing. This helps as the WAF will prevent malicious input/data from ever being able to be processed by the web app/web server. Having a WAF is an important part of a companies defense!

Cross Site Scripting (XSS)

This demo uses the Juice Shop Docker Container to show how to perform some XSS. Be aware that there are different types of XSS:

Reflected XSS - the web app immediately returns use input.
Stored XSS - The user input is stored on the target server, think forum post and the victim retrieves the stored data.
DOM-Based XSS: The DOM is attacked

Command Injection

This demo continues to use the Rickdiculously Easy VM. In the demo I perform a command injection attack to gain access to the passwd file. With this information and the previously discovered password I use hyrda to determine which user the password belongs to. I finish up with gaining root access to this VM. It is a longer video, but provides demos of various tools and techniques.

SQL Injection

Please watch a demo of how to sqlmap. We take advantage of a known vulnerable website: http://testphp.vulnweb.com/. I suggest following along and learning more about sqlmap on your own. It is a powerful tool to have in your toolbelt!