Every business is facing a constant cyber threat. They are being targeted by a multitude of sources. No business can claim to have 100% security from a cyberattack. In simple words, the cyber world has many more threats to avoid than one could ever imagine. The claim is backed by Kaspersky Labs 2017 report, indicating that their in-lab detection technology peaked at 360,000 new malicious files a day. This data depicts 11.5% of increment from last year’s data and malware is just one of the threats that’s the businesses are concerned about .
Identifying a vulnerability and fixing it, to stop further/any exploitation is the only way to strengthen the security of your business. In a series of five articles, we’ll cover five of the most common vulnerabilities that have the potential to draw the attention of cyber attackers.
Injection Vulnerabilities or Injection Flaws
Injection vulnerabilities are those flaws that allow cyber attackers to inject malicious code in another system (especially to an interpreter) using an application. In simpler terms, when an application accepts user inputs and allows these inputs to enter a database, shell command, or operating system, making the application susceptible to an injection flaw. These flaws are usually a result of insufficient input validation. Other causes involve failure to filter or sanitize a user’s input.
Common Types of Injection Flaws
A few common types of injection flaws are:
SQL Injection—SQL Injection, also denoted as SQLi, is the most common attack vector, where perpetrators insert malicious SQL code into a backend database to provide unauthorized access to private data.
Command Injection—Under this injection vulnerability, arbitrary commands are executed on the host operating system using a flawed application.
LDAP Injection—It attacks web applications by constructing LDAP statements as per the user inputs. When an improper data sanitization occurs on input, this gives way to modify LDAP statements using a local proxy. Thus, granting permission to unauthorized queries.
XPath Injection—This type of injection flaw is like an SQLi attack. Under this, a website uses input data to construct an XPath query for XML data. A cybercriminal can intentionally send malformed data to either access or damage the existing structure of the XML data.
XML Injection—When an unintended XML script is added to an existing XML script to insert malicious content to alter the intention of the application, it is known as XML injection.
Are You Vulnerable to Injection Flaws?
The source code of your application or website is the best way to determine if you are vulnerable to injection flaws. If the source code of your app or website allows external resources to link to backend data, then it is possible that you are or will potentially be under attack. External resources include system call, using exec, fork, Runtime.exec, SQL queries, or any other command/syntax that can request interpreters to deal with input data. With different languages using different ways to run external commands, it is important that developers pay close attention to reviewing their source code and look for HTTP requests being invoked by input data to make a malicious action.
Possible After-Effects of Injection Flaws
The possible consequences of this type of cyberattack can result in loss of data, unintentional display of sensitive data, denial of service, and unauthorized control of the system by the perpetrator.
Real-Life Examples of Injection Flaws
A few real-world examples will help you to understand the impact of injection flaws:
Case 1: Cybercriminals Put Behind the Bars for SQLi Attacks
In 2009, Heartland Payment Systems faced a data breach, which remained one of the biggest data breaches for years to come. It was found that the company claimed to have compromised 100 million cards and the details of more than 650 financial service companies. Later, during the trial, it was also revealed that the three victim corporates lost US$300 million. In total, the Heartland attack compromised 160 million credit card numbers, inclusive of company corporates and individual consumers.
After finding two Russian gang members guilty in 2013, they were both sentenced to prison. While the mastermind, Albert Gonzalez was sentenced with 20 years of prison in March 2010. The attack had three other criminals involved.
The gang used SQLi attacks to carry out their malicious intent .
Case 2: Rasputin Attacks
Rasputin, the Russian lone cybercriminal hacked into around dozens of universities and government agencies in a span of 1 year (from 2016 to 2017). He used SQLi attacks against the victim’s web applications. A few known victims of his cyberattacks include Cornell University, University of Cambridge, S. Postal Regulatory Commission, S. Department of Housing and Urban Development, and many others .
How to Mitigate Cyberattacks Involving Injection Flaws?
There are many ways through which injection flaws can be mitigated efficiently:
Verification of data against expected data before calling an external function. This process is known as validation. For instance, if your defined function is accepting a string value for entering the first name of the user, then there is no requirement for allowing the insertion of special characters.
Filtering can be done by blacklisting or whitelisting the input values.
Blacklisting: Bad input is either rejected or stripped in the process of data input. This process is categorized as blacklisting. It comes with its own limitations as cyber attackers have their ways to bypass this. Let’s say, a developer strips an attacker from using single quote (‘) or double quote (“), in such as case, the attacker can encode these characters using URL encoding, converting it into %22 or %27. Blacklisting alone can never give you the required results. It is recommended to use this method with other mitigation methods.
Whitelisting: The process under which only required inputs are accepted. This gets difficult when you have a text field accepting an e-mail address. The function associated with this text field needs to allow special characters, such as “.” and “@”. Even limiting the length of the input data becomes challenging.
- Encoding or Sanitizing
Encoding or sanitization refers to the process responsible for transforming bad characters into harmless ones. This process needs to take place on a case-by-case basis. One of the most common examples of encoding involves HTML entity encoding, where characters like ‘and’ are replaced with ' and " respectively.
The process of escaping makes specialized characters interpret as a string literal. This is done using backslashes. Interpreting special characters as string literals help to change the intention of the function in a non-threatening way. This process generally changes with the language at hand.
Parametrization or a prepared statement is when only the parameters are accepted during the execution of the query. This makes it difficult for cybercriminals to alter the intention of the defined functions.
A combination of all these methods can help you to mitigate attacks related to injection flaws to a great extent.
Injection flaws have the capacity to alter the functioning of an application or database, but it can be controlled with proper methods, such as validation, filtering, and others mentioned. The next part of the series will give a detailed knowledge of buffer overflows posing as one of the most common cyber vulnerabilities.
Sources https://usa.kaspersky.com/about/press-releases/2017_kaspersky-lab-number-of-the-year  https://nakedsecurity.sophos.com/2018/02/19/hackers-sentenced-for-sql-injections-that-cost-300-million/  https://www.calyptix.com/top-threats/biggest-cyber-attacks-2017-happened/