Injection Vulnerabilities in Web Applications | A03 – OWASP TOP 10 2021
Injection vulnerabilities occurs when web applications process untrusted user supplied data as a part of command or database query without performing any sanitization and checking. The injection vulnerabilities allows an attacker to execute system commands on web server, compromise backend databases and data stores, hijack user sessions etc. Almost any source of data can be an injection vector, environment variables, parameters, external and internal web services, and all types of users. Injection vulnerabilities are often found in SQL, LDAP, XPath, or NoSQL queries, OS commands, XML parsers, SMTP headers, expression languages, and ORM queries.
Detecting injection Vulnerability
An application is vulnerable to attack when:
- User-supplied data is not validated, filtered, or sanitized by the application.
- Dynamic queries or non-parameterized calls without context-aware escaping are used directly in the interpreter.
- Hostile data is used within object-relational mapping (ORM) search parameters to extract additional, sensitive records.
- Hostile data is directly used or concatenated, such that the SQL or command contains both structure and hostile data in dynamic queries, commands, or stored procedures.
Dynamic SQL is same as the construction of the query using string concatenation and variables at run time. The reason is that they contrast it to parameterized queries and stored procedures.
Some of the more common injections are SQL, NoSQL, OS command, Object Relational Mapping (ORM), LDAP, and Expression Language (EL) or Object Graph Navigation Library (OGNL) injection. The concept is identical among all interpreters. Source code review is the best method of detecting if applications are vulnerable to injections, closely followed by thorough automated testing of all parameters, headers, URL, cookies, JSON, SOAP, and XML data inputs.
Example of Injection Vulnerability
SQL injection is a web security vulnerability that allows an attacker to interfere with the queries that an application makes to its database. A successful SQL injection attack can result in unauthorized access to sensitive data, such as passwords, credit card details, or personal user information. SQL injection vulnerability occurs when an application run sql quires which includes user supplied parameters without any checking or sanitization. Some example of successful exploitation of sql injection vulnerabilities are :
- Retrieving Hidden Data, where attacker can modify an SQL query to return additional results.
- Subverting Application Logic, where you can change a query to interface with the application’s logic.
- Union Attacks, where you can retrieve data from different database tables.
- Examining The Database, where you can extract information about the version and structure of the database.
- Blind SQL Injection, where the results of a query you control are not returned in the application’s responses.
OS Command Injection
Command injection vulnerability allows an attacker to execute operating system commands on a vulnerable web server. This vulnerability occurs when an application passes unsafe user-supplied data without any sanitization or proper security checks to shell command execution functions like system(), shell_exec() etc. and these function will execute user/Attacker supplied command. The attacker can sends user supplied data through Get/Post parameters, cookies, http headers, form etc.
The data stored in XML can be accessed via XPath queries similar to sql queries. It is also a query language and is used to locate specific elements in a XML document. In XPath there are no access level permissions and it is possible to refer almost any part of an XML document unlike SQL which allows restrictions on databases, tables or columns.
XPath injection occurs when the application uses user-supplied information to construct an XPath query for XML data without any checking or sanitization. XPath Injections might be even more dangerous than SQL Injections since XPath lacks access control and allows querying of the complete database (XML document), whereas many SQL databases have meta tables that cannot be accessed by regular queries.
A NoSQL injection vulnerability is an error in a web application that uses a NoSQL database. This web application security issue lets an attacker to bypass authentication, extract data, modify data, or even gain complete control over the application. NoSQL injection attacks are the result of a lack of data sanitization.
Server side Template Injection
Template engines are designed to generate web pages by combining fixed templates with volatile data. Server-side template injection attacks can occur when user input is concatenated directly into a template, rather than passed in as data. This allows attackers to inject arbitrary template directives in order to manipulate the template engine, often enabling them to take complete control of the server.
LDAP (Lightweight Directory Access Protocol) is a protocol for accessing and maintaining distributed directory information services over an internet protocol network. LDAP’s primary function is enabling users to find data about organizations, persons, and more. Data and resources that you can find with LDAP include files and user information. When the target application insecurely uses some user input to query an LDAP directory, then an attacker can perform an injection to bypass restrictions, read unauthorized data, etc.
An XSS vulnerability arises when web applications take data from users and dynamically include it in web pages without first properly validating the data. XSS vulnerabilities allow an attacker to execute arbitrary commands and display arbitrary content in a victim user’s browser. A successful XSS attack leads to an attacker controlling the victim’s browser or account on the vulnerable web application. A successful XSS attack can lead to following problems :
- Stealing the Identity and Confidential Data(credit card details).
- Bypassing restriction in websites.
- Session Hijacking (Stealing session)
- Malware Attack
- Website Defacement
- Denial of Service attacks(Dos)
- Phishing attacks
Remediation of Injection Vulnerability
- Use parameterized queries (prepared statements) instead of string concatenation within sql query.
- Treat all user input as untrusted. Any user input that is used in an SQL query introduces a risk of an SQL Injection. Treat input from authenticated and/or internal users the same way that you treat public input.
- Don’t filter user input based on blacklists. A clever attacker will almost always find a way to circumvent your blacklist. If possible, verify and filter user input using strict whitelists only.