An attacker changes the behavior or state of a targeted application
through injecting data or command syntax through the targets use of
non-validated and non-filtered arguments of exposed services or
methods.
Attack Execution Flow
Explore
Discovery of potential injection
vectors:
Using an automated tool or manual discovery, the
attacker identifies services or methods with
arguments that could potentially be used as
injection vectors (OS, API, SQL procedures,
etc.).
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
Manually cover the application and record
the possible places where arguments could be
passed into external systems.
env-All
2
Use a spider, for web applications, to
create a list of URLs and associated
inputs.
env-All
Indicators
ID
Type
Indicator Description
Environments
1
Positive
Arguments are used by the application in
exposed services or methods
env-All
2
Inconclusive
No parameters appear to be used.
env-All
3
Negative
Application does not use any inputs.
env-All
Outcomes
ID
Type
Outcome Description
1
Success
A list of parameters, arguments
to modify is identified.
2
Success
A list of URLs, with their
corresponding parameters (POST, GET, COOKIE, etc.)
is created by the attacker.
Security Controls
ID
Type
Security Control Description
1
Detective
Monitor velocity of
page fetching in web logs. Humans who view a page
and select a link from it will click far slower
and far less regularly than tools. Tools make
requests very quickly and the requests are
typically spaced apart regularly (e.g. 0.8 seconds
between them).
2
Detective
Create links on some
pages that are visually hidden from web browsers.
Using IFRAMES, images, or other HTML techniques,
the links can be hidden from web browsing humans,
but visible to spiders and programs. A request for
the page, then, becomes a good predictor of an
automated tool probing the
application.
3
Preventative
Use CAPTCHA to prevent
the use of the application by an automated
tool.
4
Preventative
Actively monitor the
application and either deny or redirect requests
from origins that appear to be
automated.
Experiment
1. Attempt variations on argument
content:
Possibly using an automated tool, the attacker
will perform injection variations of the
arguments.
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
Use a very large list of probe strings in
order to detect if there is a positive result,
and, what type of system has been targeted (if
obscure).
env-All
2
Use a proxy tool to record results, error
messages and/or log if accessible.
env-All
Indicators
ID
Type
Indicator Description
Environments
1
Positive
The application behaves like the injection
has been a success.
env-All
2
Inconclusive
No result appears.
env-All
Outcomes
ID
Type
Outcome Description
1
Failure
It is possible to monitor the
application and to see that the argument has been
validated.
Security Controls
ID
Type
Security Control Description
1
Preventative
Actively monitor
malicious inputs.
2
Detective
Monitor the services
and/or methods uses of the
arguments.
Exploit
Abuse of the
application:
The attacker injects specific syntax into a
particular argument in order to generate a specific
malicious effect in the targeted application.
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
Manually inject specific payload into
targeted argument.
env-All
Outcomes
ID
Type
Outcome Description
1
Success
The attacker observes desired
effect.
Security Controls
ID
Type
Security Control Description
2
Preventative
Actively monitor
malicious inputs.
3
Detective
Monitor the services
and/or methods uses of the
arguments.
Attack Prerequisites
Target software fails to strip all user-supplied input of any content that
could cause the shell to perform unexpected actions.
Software must allow for unvalidated or unfiltered input to be executed on
operating system shell, and, optionally, the system configuration must allow
for output to be sent back to client.
Typical Likelihood of Exploit
Likelihood: High
Methods of Attack
Injection
Examples-Instances
Description
A recent example instance of argument injection occurred against Java
Web Start technology, which eases the client side deployment for Java
programs. The JNLP files that are used to describe the properties for
the program. The client side Java runtime used the arguments in the
property setting to define execution parameters, but if the attacker
appends commands to an otherwise legitimate property file, then these
commands are sent to the client command shell.
The attacker has to identify injection vector, identify the operating
system-specific commands, and optionally collect the output.
Resources Required
Ability to communicate synchronously or asynchronously with server.
Optionally, ability to capture output directly through synchronous communication
or other method such as FTP.
Solutions and Mitigations
Design: Do not program input values directly on command shell, instead
treat user input as guilty until proven innocent. Build a function that
takes user input and converts it to applications specific types and values,
stripping or filtering out all unauthorized commands and characters in the
process.
Design: Limit program privileges, so if metacharcters or other methods
circumvent program input validation routines and shell access is attained
then it is not running under a privileged account. chroot jails create a
sandbox for the application to execute in, making it more difficult for an
attacker to elevate privilege even in the case that a compromise has
occurred.
Implementation: Implement an audit log that is written to a separate host,
in the event of a compromise the audit log may be able to provide evidence
and details of the compromise.
Attack Motivation-Consequences
Scope
Technical Impact
Note
Confidentiality
Access_Control
Authorization
Gain privileges / assume
identity
Integrity
Modify application
data
Confidentiality
Read application
data
Injection Vector
Malicious input delivered through standard input, the attacker inserts
additional arguments on the application's standard interface
Payload
Varies with instantiation of attack pattern. Malicious payload either pass
commands through valid paramters or supply metacharacters that cause unexpected
termination that redirects to shell
Activation Zone
Client machine and client network (e..g Intranet)
Payload Activation Impact
Description
Enables attacker to execute server side code with any commands that the
program owner has privileges to, this is particularly problematic when the
sprogram is run as a system or privileged account.
Description
