SWE210 Software Security Week 4

Command Injection Attacks

• Definition: Command injection is a security vulnerability allowing attackers to execute arbitrary commands on a target system.
• Common Injection Attack Types:
  • SQL Injection
  • LDAP Injection
  • FTP Injection
  • Command Shell Injection

SQL (Structured Query Language)

• Purpose: A domain-specific programming language for managing relational databases.
  • Operations include querying, inserting, updating, and deleting records.
• Example Queries:
  • SELECT * FROM Employees; retrieves all records from the Employees table.
  • SELECT * FROM Employees WHERE Department = 'Engineering'; retrieves records from the Engineering department.

SQL Injection (SQLi)

• Vulnerability: SQL injection allows attackers to interfere with queries, enabling data retrieval they shouldn't access.
• Example:
  • Original query: SELECT * FROM users WHERE username = 'user' AND password = 'pass';
  • Malicious input: user: ' OR 1=1 --, modifying the query to always return true.
• Consequences: Can lead to unauthorized access of sensitive information, such as passwords and credit card details.

Functioning of SQL Injection

1. Identify Vulnerability: The attacker finds a vulnerable SQL-driven website.
2. Inject Malicious Query: They input SQL commands through data fields.
3. Access Data: Resultant query execution grants access to the database, potentially altering records or executing administrative commands.

Retrieving Hidden Data Example

• Consider a shopping site querying for products:
  • Standard query: SELECT * FROM products WHERE category = 'Gifts' AND released = 1;
  • Malicious URL: https://insecure-website.com/products?category=Gifts'-- causes the original restriction to be bypassed.

User Input Handling

• Challenge: User input is dynamically included in SQL commands:
  • Example issue: SELECT * FROM users WHERE username='$user' AND password='$pass';
  • Vulnerability arises from not sanitizing input.

UNION Attacks

• Concept: UNION injection allows attackers to retrieve data from other database tables by appending results to original queries.
• Requirements:
  • Same number of columns
  • Compatible data types
• Methods to Determine Columns:
  1. Use ORDER BY clauses incrementally.
  2. Use UNION SELECT with NULL values to probe column structure.

Tautology Attacks

• Definition: Exploits vulnerabilities via always-true expressions.
  • Example: passwd='nothing' OR 'x'='x' allows access without knowing real credentials.

Mitigations for SQL Injection Attacks

• Prepared Statements: Separate SQL logic from data input.
• Input Validation: Ensure user input is sanitized.
• Least Privilege Principle: Limit permissions for database interactions.
• Hide Error Details: Do not expose sensitive SQL error information.

LDAP Injection Attacks

• Definition: Occurs when an attacker manipulates LDAP queries to access unauthorized data.
• Mitigation: Proper input validation and ensuring only safe portions of input are utilized in LDAP queries.

FTP Injection

• Definition: Attackers send unintended FTP commands through external inputs.
• Malicious Example: Inputting mydocument.html %0a RMD . can lead to both retrieving a document and removing directories.
• Mitigation Strategies: Remove newline characters and filter user inputs effectively.

Shell Injection

• Definition: Allows attackers to inject malicious shell commands via vulnerable applications.
• Example: Command ls .; rm -R * lists files and removes all in the current directory if executed by an application without filters.