In the third entry of this ten-part blog series, we will take a brief look at A03:2021: Injection.
According to its high placement on the OWASP Top Ten list, web applications are often found to be vulnerable to Injection attacks through multiple vectors.
Injection attacks can occur if an application sends untrusted data to an interpreter or the back end without sanitising the input or proper validation. Once this untrusted data is allowed through, it can cause the execution of unintended commands, unauthorised access to data and other unintended effects.
Some common types of Injection are as follows:
- Cross-site Scripting (XSS) – The attacker injects an arbitrary script into an area of a regular web application. If successful, the content injected is stored by the server before being executed in the victim’s browser.
- SQL Injection (SQLi) – The attacker enters malicious SQL statements into a user input field for execution. The effects of successful SQL injection attacks are varied, including information disclosure, data loss, theft of data and authentication bypass.
- Lightweight Directory Access Protocol (LDAP) Injection – LDAP Injection attacks can be used to exploit web applications if they construct LDAP statements based on user input. When these inputs are received from a user, they can be used to gain unauthorised access to sensitive information if the server does not properly sanitise the input.
- Server-Side Template Injection (SSTI) – SSTI may occur in instances where user input is embedded in a template in an unsafe manner. An attacker can exploit a template’s regular syntax and inject malicious payloads, which are then executed server-side. This can lead to Remote Code Execution and sensitive data disclosure if successful.
The list above is not exhaustive as there are many different processes in a web application that can be leveraged when attackers are attempting to use Injection attacks. The severity of damage caused when subject to an Injection attack is varied, including:
- Unauthorised access to data.
- Loss of Data and Data Integrity.
- Privilege Escalation.
- Denial of Access.
It is very important to ensure that your web application is not vulnerable to injection attacks considering the impact such an attack can have on your application and any client data you may store.
Preventing Injection attacks
- Ensure that data supplied via user inputs is always validated, typically using an allow list.
- Use parameterised queries instead of dynamically constructing SQL queries with user input.
- Regularly patch and update systems, databases, and applications. Injection attacks often exploit vulnerabilities overlooked in third-party application source codes, meaning it is critical to keep these applications updated to their latest version.
- Ensure that database accounts have the least privilege necessary where possible.
- Undertake regular security reviews that will catch and highlight areas of vulnerability.
Injection vulnerabilities are a mainstay in the OWASP Top Ten list as they remain a significant challenge for developers crating web applications in a secure manner. If a system is built in a way that untrusted data passed by a user is not correctly validated and sanitised, attacks can occur when the web application simply follows its regular process of handling the data passed to it. The reason that this vulnerability type remains prevalent is because having dynamic content in a web application is a double-edged sword; user experience and personalisation is enhanced, but avenues for manipulating the application occur through the same process.
When conducting penetration tests against a client’s web application, the team at CyberWhite follow the OWASP framework closely. This allows us to check applications against the OWASP Top Ten list, including Injection attacks as explored in this blog post.
If you have any questions please reach out to Kieron