General Injection Attacks
There are several types of injection attacks, depending on what part of a system is being attacked.
However, they all follow a common pattern. We start with some component of the program that accepts
commands in text form. This component might be a command shell, the SQL interpreter, XML parser, or
even the interpreters for a language such a Python or JavaScript. Injection attacks are possible whenever
four criteria are satisfied:
1. The program is using some form of command interpreter.
2. The commands being sent to the interpreter are constructed by the program while it is executing.
In other words, the commands are not constant strings.
3. At least part of the data being used to construct the strings comes from user input. In other words,
at least part of the input comes from the attack surface.
4. The program does not correctly prevent the user input from changing the way that the
programmer intended the command to be interpreted.
Items 1 through 3 above may be critical to how you construct your program. For example, you may have
a database of valid users and passwords, so need to use SQL queries to check that database (item 1). The
SQL query will need to be different for each user who tries to log in (item 2). And the username and
password will likely come from what is typed into a web form and sent to the server (item 3).
Flaws in your programs can enable successful injection attacks. Such flaws are based on user input
confusing your program into allowing commands to execute that you did not intend (item 4). Typically,
such confusions come from improper escaping of metacharacters (punctuation) or improper quoting. As a
result, we end up with text that was intended to be string data that becomes part of the command itself,
resulting in a very different command that does something different than intended.
Comments
Post a Comment