Injection Attack Definition
Injection attacks concern the introduction of malicious codes or scripts from an external source into a program or web application (Patel, Mohammed & Soni, 2011). An example includes an input field provided by the web application to gather input from an end-user.
It makes use of the unavailability of accurate input or output data validation. The malicious code injected would then execute as part of the application.
Types of Injection Attacks
Kolhe and Adhikari (2014) define SQL injection as a code injection attack involving the insertion of malicious SQL statements into an entry field for subsequent execution to attack the database and perform varied forms of database operations, interactions, and functions without the sanitization of the inputs in the given entry field.
This SQL injection will fool the database as a standard user application, and easily access the system afterwards. The attacker spoofs identity, becomes the database server’s administrator, and exposes, makes unavailable, or destroys existing data.
SQL injection could occur in various ways as given by Balasundaram and Ramaraj (2011):
- SQL manipulation involves the modification of the SQL query through the alteration of the WHERE clause (Patel et al., 2011). This modification would cause an amendment of the statement’s WHERE clause so that it continually returns TRUE.
- Code injection – New SQL statements would be introduced into the input fields instead of valid input. A SQL Server command would then be appended to the classic statement or code, making SQL state vulnerable. Patel et al . ( 2011) suggest that code injection only works by supporting the request by the user for different SQL statements, or by supporting keywords such as OR and AND.
- Function call injection involves user-defined functions or database functions being added into vulnerable SQL queries. Patel et al. (2011) observe that these function calls could be applied in making internal calls or modifying data in the database that could be harmful to users.
Prevention of SQL Injection Attacks
- SQL injection attacks could be prevented by enforcing measures that would not display error pages (Kohle & Adhikari, 2014). Instead, they redirect to the homepage.
- Certain characters should be the only ones allowed in the field of data. The length of these fields should be limited (Patel et al., 2011). For example, only numbers and alphabets should be accepted for usernames and passwords, and the field is limited to 15 characters
This involves altering application flow through overwriting of memory parts (Cowan, Wagle & Pu, 2000). This aims at subverting the operation of a free program for the attacker to take control of the program to control the host.
It allows attackers to run remote shell and gain privileges similar to those given to the application being targeted for attack.
Prevention strategies, as given by Cowan et al. (2000) include:
- Writing correct code through the brute force method helps novice developers develop programs less vulnerable to buffer overflows.
- The operating systems approach makes buffers storage areas non-executable, thus hinders the injection of attack code.
- The direct compiler method performs array bounds checks on array accesses, thus eliminates the buffer overflow problem associated with the operating system approach by making overflows impossible.
- The indirect compiler approach undertakes integrity checks on code pointers before their dereferencing, thus stopping most of the buffer overflow attacks.
- XPath injection
In this case , the attacker exploits websites for the execution of XPath queries to inject data into the given application (Shanmughaneethi, Ravichandran & Swamynathan 2011). XPath refers to a query language that describes locating specific elements like processing instructions or attributes in an XML document.
The attacker gains the ability to bypass authentication or accessing information without the need for appropriate authorization.
The similarity in XPath and SQL injection attacks makes Shanmughaneethi et al. (2011) appreciate the analogy in their prevention as given by Patel et al. (2011):
- Strong input validation should be enforced for each passed string parameter.
- User input should not be directly passed; rather, parameterized XPath queries should be used.
- Using custom error to avoid the display of error pages.
- OS commanding
This type of attack involves the exploitation of websites through the injection of an operating system command to the web application by HTTP request (Stuttard & Pinto, 2008).
The attacker could obtain passwords or upload malicious programs.
According to Stuttard and Pinto (2008), OS commanding injection attacks would be prevented through:
- Keeping off direct calling out to operating system commands.
- Restricting the input to a narrow set of characters such as alphanumeric characters only. Information with other data, including whitespace and metacharacter, should be rejected.
- The application should run on command APIs which launch specific processes through its command-line parameters and name instead of passing a command string to a given shell interpreter, which supports command redirection and chaining.
- Balasundaram, I. & Ramaraj, E. (2011). An authentication mechanism to prevent SQL injection attacks. International Journal of Computer Applications, 19(1), 30 – 33.
- Cowan, C., Wagle, P., & Pu, C. (2000). Buffer overflows: Attacks and defenses for the vulnerability of the decade. Retrieved 11 May 2014 from http://crypto.stanford.edu/
- Kohle, A. K. & Adhikari, P. (2014). Injection, detection, prevention of SQL injection attacks. International Journal of Computer Applications, 87(7), 40 – 43.
- Patel, N., Mohammed, F., & Soni, S. (2011). SQL injection attacks: Techniques and protection mechanisms. International Journal on Computer Science and Engineering, 3(1), 199 – 203.
- Shanmughaneethi, V., Ravichandran, R., & Swamynathan, S. (2011). PXpathV: Preventing XPath injection vulnerabilities in web applications. International Journal on Web Service Computing, 2(3), 57 – 65.
- Stuttard, D. & Pinto, M. (2008). The web application hacker’s handbook: Discovering and exploiting security flaws. Indianapolis, IN: Wily Publishing.