As long as code and data cannot be distinguished by machines, Injection attacks will prevail. Injection flaws are very prevalent, particularly in legacy code. Injection flaws occur when an application sends untrusted data to an interpreter. This talk will focus on different injection flaws, challenges associated with it and possible ways to mitigate it.
2. What are Injection Flaws??
Injection flaws are a class of security vulnerability
that allows a user to “break out” of the web
application context.
Weakness in an application whereby foreign input
subverts the otherwise legitimate use of a
subsystem.
Injection flaws allow attackers to relay malicious
code through an application to another system
3. Is Your Web App Vulnerable to
Injection?
User Supplied data is not validated , filtered
or sanitized by Application.
Hostile data is supplied directly to dynamic
queries or non parameterized calls for the
interpreter without context-aware escaping.
Hostile data is used with ORM search
parameters such that search evaluates out
to include sensitive or all records.
4. Different types of Injection
flaws Different subsystems == Different flaws
SQL Injection
Command Injection
HTML Injection
LDAP Injection
XML Injection
IMAP/SMTP Injection
5. SQL Injection: Database Query
Dynamic script to look into database
“Direct” access to database
Possible to issue CRUD statements and many
more….
7. Command Injection
Web application performs operating system
tasks
Execute external programs/script
List files etc.
ping –c <user_input>
Protection using Command Execution API
os.system(ping –c 127.0.0.1)
8. HTML Injection
Possible to include HTML Tags like iframe , fake forms,
XSS also possible….
Can be used in phishing attacks
9. XML Injection
Web App talks to backend web services
Web app’s logic converts parameter’s to XML web
services (as SOAP,…)
11. LDAP Injection
Lightweight Directory Access protocol
It is used to access information directories like
users, user information, software, computers.
12. LDAP Injection
Insert Special characters like(*,|,&,…) leading
to exposure of user’s confidential data
13. IMAP/SMTP Injection
This threat affects all applications that
communicate with mail servers (IMAP/SMTP),
generally webmail applications.
We need to verify the capacity to inject arbitrary
IMAP/SMTP commands into the mail servers,
due to input data not being properly sanitized.
14. State of Web framework
Security
Anti CSRF tokens – can easily turned
off/miss-configurations
Templates escapes user input – just HTML
escape ->XSS
Uses ORM – SQLi still possible
https://rails-sqli.org/
We need to use secure APIs or write secure
code
15. Can WAF solve the problem?
Web Application Firewalls are for Attack
Detection and Prevention
Most of WAFs use blacklists. No
vulnerability detection.
16. Protect Exploitation : RASP
Runtime Application Self Protection
• Detect both Attacks and Vulnerability
• No Hardware Requirements
• Inject Security at Runtime
• Applies defense inside the application
• Zero code Modification and Easy
Integration
• No use of Blacklists
17. RASP by API Instrumentation
and Dynamic White-list
Monkey Patching
Lexical Analysis and Token Generation
Context Determination
18.
19.
20.
21. Challenges
Ideal RASP should have minimum
performance impact.
Need to do adapt more secure techniques
in combination with RASP.
Minimal configuration and Easy
Deployment.
Implementing Preventing measures to
avoid session Hijacking, Credentials etc.