Saturday, September 24, 2011

Code injection attacks

If you are going to do software security testing of applications, you must be aware of possible code injection attacks. This is especially required when testing web applications because they face a hostile environment, the internet. Code injection means adding extra code to an executing application with the purpose of modifying the application behavior. This extra code can be in the form of HTML, Javascript or SQL or even unhandled type of text (e.g. special characters and long strings). Here are the types of code injection attacks.

1. SQL injection
It happens when the SQL statement to be executed by the application is modified by the attacker. The resulting SQL can then be something never intentioned by the software developer. SQL injection can be understood by the common example of the SQL behind the login page of the application, say
SELECT username FROM users WHERE username = 'UserName' AND password = 'Password'
Here UserName and Password are taken directly from the user input without sanitizing it. So, if the attacker provides a valid UserName but modifies the SQL by providing any password including 'x'='x', the WHERE clause becomes an ORed clause returning rows, indicating success. The result is that the attacker is able to login to the application as another user.

2. Include file injection
Some web pages use the GET method to transmit data from the client browser to the server. For example, the web page asks the user to select gender, Male or Female. This data generated by the client-side application code (e.g. "male") is visible and can be modified manually by the attacker. If the attacker includes a  valid filename in the sent data and this data is not sanitized by the server-side application code, the server evaluates the filename. This causes the server to read or execute the said file. The said file may be local to the server or even hosted on another website.

3. Cross site scripting (XSS) injection
XSS involves injecting scripts into the web pages of a website. For example, let us say that the web application (say a messaging site) immediately reflects the user input without sanitizing it. The attacker posts a link with script code. This is shown to other users of the site. If any user clicks on the malicious link, the script executes in the context of their browser. Such type of XSS is called non-persistent. If the attacker stores the malicious script permanently on the website (say in their profile or About Me webpage), it can result in persistent XSS.

4. ASP injection
It involves injecting code that is executed by the server side scripting engine, Active Server Pages. This is similar to the include file injection. The difference is that instead of providing a filename, the attacker provides a valid ASP command instead of the HTML form data. If the server-side ASP script does not sanitize the provided input, the ASP engine on the server executes the command.

If you are interested to know more about software security testing, ensure that you subscribe to this blog.