Owasp Top 10: A1: Injection Vulnerability (Impact & Mitigation)
By Mohammed Tahir
What is an Injection ?
An injection is a type of attack which usually occurs when an attacker sends some suspicious data as part of a query or command into the input fields of any website. By this attacker can lead to data theft, data loss, or accessing data without any authorization.
Different Types of Injections
- SQL injection
- Os command injection
- Host header injection
- Xpath injection
- CRLF injection
- Email Header Injection
SQL Injection
A SQL injection attack can be done by insertion of a SQL query via the input fields from the client to the application. The simplest form of SQL injection is performed through user input. Web applications typically user input through a form and the front end passes the user input to the back-end database for processing.
A successful SQL injection exploits can read sensitive data from the database, modify database data (Insert/Update/Delete), authentication bypass, information disclosure, denial of service. Maybe the entire system could compromise.
OS Command Injection
An Operating System (OS) command injection attack occurs when an attacker try to execute operating system commands with the privileges of the user who is running the web application. Attackers who gain access to these systems can change, manipulate, or read data; inject commands that steal data or attack infrastructure; and engage in other damaging activities. Command injection is highly dependent on privileges.
Host Header Injection
HTTP header injection is a general class of web application security vulnerability that occurs when Hypertext Transfer Protocol (HTTP) headers are dynamically created based on user input. Header injection in HTTP responses can permit for HTTP response splitting, Session fixation via the Set-Cookie header, cross-site scripting (XSS), and malicious redirect attacks via the location header
XPATH Injection
XPATH is the language used to query XML document in order to locate information such as find elements matching a certain pattern or containing attribute.XPATH Injection is the type of vulnerability which can be used by the attacker to exploit XML documents by injecting malicious XPATH Queries into the user input field. This type of injection is caused due to unsanitized user input due to which unwanted XML queries are inserted into application causing loss of data and revealing the application logic.
CRLF Injection
Carrier Return and Line Feed are special characters in ASCII which is used to separate the HTTP headers.CRLF injection is a software application coding vulnerability that occurs when an attacker injects a CRLF character sequence where it is not looked for. When CRLF injection is applied to split an HTTP response header, it is referred to as HTTP Response Splitting. CRLF injection vulnerabilities result from data input which is not neutralized, incorrectly neutralized or otherwise unsanitized.
Email Header Injection
Email Header Injection is used in contact pages of the website where the email is sent to the intended recipient. The contact pages add new headers during the transmission of form to the email server. A malicious user may be capable of introducing additional headers into the message, thereby instructing the mail server to behave differently than intended. Email Header Injection is also known as SMTP Header Injection as we are injecting unwanted user input into SMTP headers causing the mail server to spam a user or cause a phishing attack.
LDAP Injection
LDAP Injection is an attack used to exploit web based applications that construct LDAP statements based on user input. When an application fails to properly sanitize user input, it’s possible to alter LDAP statements through techniques similar to SQL Injection. LDAP injection attacks are common due to the two factors mentioned below:
- The lack of safer, parameterized LDAP query interfaces
- The widespread usage of LDAP to authenticate users to systems.
Business Impact of Injection Vulnerability
Consider the business value of the affected data and the platform running the interpreter. If all the data can be stolen, modified, or deleted. Will your reputation be harmed?
Technical Impact of Injection Vulnerability
Data disclosure can result in a ruinous outcome, both for your customers and your business itself. In some of the most publicized attacks, criminals may expose Social Security numbers, credit card numbers, email addresses, account passwords, or other personal information that can very easily put clients at risk for identity theft, fraud, and more.
Mitigation Techniques for Injection Vulnerabilities
Mitigation for SQLi
There are many ways to defend the SQL injection. One of the primary defense techniques is “Prepared Statements (Parameterized Queries)”. This technique force developer to define all the SQL code and then pass in each parameter to the query later.
Mitigation for Os Command Injection
The application should use command APIs that launch a specific process via its name and command-line parameters, rather than passing a command string to a shell interpreter that supports command chaining and redirection. For example, Java API Runtime.exec and ASP.NET
Mitigation for Host Header Injection
Do not allow newline characters in the input. Where possible, use strict whitelisting.
Mitigation for XPath Injection
Much like SQL database injection, the best is one could use against this attack is to use precompiled queries. These queries are preset before program execution, meaning that one can avoid the problematic escaping of bad characters which could be implemented incorrectly. If a dynamic query is to be executed, ensure that the characters used to break out of the context.
Mitigation for CRLF
Always follow the rule of never trusting user-input. Sanitize and neutralize all user-supplied data or properly encode output in HTTP headers that otherwise be visible to users in order to stop the injection of CRLF sequences and their consequences.
Mitigation for Email Header Injection
Mitigating against email header injection includes validating user input to not allow any newline characters in the input which would cause any other SMTP header to be appended. In general, when validating user input, the simplest and most robust way to achieve powerful input validation is through a whitelist of allowed characters for use in the SMTP headers.