AppSec Advisor: Injection Attacks
Volume 1 / Number 2 / October 2019
Welcome to the first issue of the AppSec Advisor newsletter. AppSec Advisor’s goal is to communicate to the MS-ISAC community and their peers the best security practices for application design and implementation. We want to achieve confidentiality, integrity, and availability of the data that an application creates, uses, stores, transmits and disposes. This newsletter will be a shared responsibility for all the members of the MS-ISAC Application Security workgroup. Please be alert to information that you think may be useful to share with those who will be reading this newsletter; the information you provide may be what a fellow colleague may need. Keep secure!
What are they?
The term “injection” encompasses a range of different attack types. This includes vectors such as SQL injection (the most commonly known type), code injections, LDAP injection, and many more. Depending on the kind of injection different outcomes are possible, such as unintended data returned, malicious code executed on the user's browser or even unwanted commands could be executed on the application’s hardware.
Injections are one of the oldest and most dangerous attacks aimed at web applications. This type of threat has continued to be rated the top security risk on OWASP Top 10 Most Critical Web Application Security Risks assessments. This high ranking is due to how dangerous and widespread this type of vulnerability is in applications, especially legacy ones. Another reason for the high ranking is due to how large the attack surface is and how well understood this vulnerability type is. Because of this, many freely available tools exist that allow even the most novice attackers to automatically attack web applications with ease.
At the core of this type of vulnerability is the injection of untrusted data or code into a trusted environment. For example, if there is a trusted connection between a web application and an underlying database and someone is able to add extra data to a query from the web application then the query can return unintended data or even perform database operations such as deleting data or the database itself. This could be done by modifying the URL of the site to include SQL commands or by submitting code into a textbox on the web site. This type of attack is a SQL injection.
How to mitigate
There are several different ways to mitigate against injection attacks. These include utilizing defenses such as parameterized statements, escaping of user input, input validation, whitelisting, and limiting permissions. Most of these focus around the validation and isolation of how user input is handled by the application, constraining the input into parameters of certain data types or validating that the input is correctly formed. Escaping of user input is another way to limit injection attacks. Limiting the permissions of the credentials used by the application to connect to a database or other system is another good way to mitigate this type of attack. Since the connections between the web application and other systems is often treated as a trusted connection, it is a good idea to isolate what actions the credentials used in these connections can perform on other systems. An example of this would be to remove the ability of a credential to perform actions such as editing a database record or deleting a database when the web application should only perform read actions.
Code of the Month
Technologies in use: .NET
.NET (dotnet) is an encompassing term primarily used to refer to a software framework(s) created by Microsoft. In the beginning, the term was usually applied to the .NET Framework a primarily Windows-based software framework that included the Framework Class Library (FCL) and provided interoperability between multiple programming languages. Recently it has evolved to cover other frameworks targeting several different platforms such as the .NET Compact Framework for mobile devices, the .NET Micro Framework for embedded systems, and the .NET Core, a cross-platform and cloud computing framework.
At its core though, .NET establishes a standard class library, the Common Language Runtime (CLR) and support for multiple programming languages. .NET supports the creation of various types of software, such as desktop, server, and mobile applications.
Term of the Month
SAST/DAST - Static (source code) / Dynamic (web app/deployed) Application Security Testing
Some of these tools may be familiar. Please let the workgroup know of other tools you know that may be useful for future publications.
Wireshark: Popular network protocol analyzer, looks closely at traffic to and from devices (inlc. USB); can save and load captured data files (.pcap).
AppSec Use: Can help determine which ports and destination IPs an application uses to talk
Nmap - Network discovery and security auditing; can determine what ports are open and services are enabled on remote devices.
AppSec Use: Can help determine services are enabled by application name and version over which ports.
Fiddler: HTTP debugging proxy server app; captures and logs HTTP(S) traffic using man-in-the-middle interception.
AppSec Use: Can be configured to act as an intermediary for HTTP(S) traffic that an application could use.
- Wikipedia - Code Injection
- OWASP Injection Theory
- OWASP Testing for SQL Injection
- OWASP Injection Protection Cheat Sheet
- OWASP SQL Injection Protection Cheat Sheet
- DZone- What Are Injection Attacks?
- SQL Injection
Alder Locke | Senior Development Analyst, Multnomah County, OR
Brett Scott | Applications Security Analyst, Multnomah County, OR
Jacob Bartruff | Senior Development Analyst, Multnomah County, OR
Jessica Cone | Program Specialist, MS-ISAC