3️⃣A03:2021 – Injection
Injection
Injection vulnerabilities occur when an application processes untrusted data and executes unintended commands or queries. This typically happens when user-supplied data is not properly validated, filtered, or sanitized, allowing attackers to manipulate the interpreter's execution context.
Here are detailed descriptions and examples of injection vulnerabilities:
When an Application is Vulnerable to Injection?
User-Supplied Data is Not Validated, Filtered, or Sanitized
Description: The application accepts input from users without validating, filtering, or sanitizing it, leading to potential security risks.
Example: A web form allows users to enter their username without any input validation or sanitization.
Impact: Attackers can input malicious scripts or SQL commands that the application executes, leading to data breaches or system compromise.
Dynamic Queries or Non-Parameterized Calls Without Context-Aware Escaping
Description: The application constructs queries or commands using dynamic strings that include user input without proper context-aware escaping.
Example: Constructing an SQL query by concatenating strings, such as:
Impact: Attackers can inject SQL commands that alter the query's behavior, potentially accessing unauthorized data.
Hostile Data Used in Object-Relational Mapping (ORM) Search Parameters
Description: The application uses user-supplied data in ORM search parameters without proper validation, allowing attackers to extract sensitive records.
Example: Using unvalidated user input in an ORM query:
Impact: Attackers can manipulate ORM queries to extract additional records or sensitive data.
Hostile Data Directly Used or Concatenated in Dynamic Queries, Commands, or Stored Procedures
Description: User input is directly included in dynamic queries, commands, or stored procedures without validation or sanitization.
Example: Directly using user input in a shell command:
Impact: Attackers can inject malicious commands that the system executes, potentially leading to arbitrary command execution.
Common Types of Injection
SQL Injection
Description: Manipulating SQL queries by injecting malicious input.
Example: Injecting
' OR '1'='1
into a login form to bypass authentication.
NoSQL Injection
Description: Manipulating NoSQL queries with malicious input.
Example: Injecting
{"$ne": null}
in a MongoDB query to bypass authentication.
OS Command Injection
Description: Executing arbitrary operating system commands via injected input.
Example: Injecting
; rm -rf /
into a command execution function.
ORM Injection
Description: Manipulating ORM queries with malicious input.
Example: Injecting
1=1
in an ORM search parameter to retrieve all records.
LDAP Injection
Description: Manipulating LDAP queries with malicious input.
Example: Injecting
*
in an LDAP search filter to retrieve all entries.
Expression Language (EL) or Object Graph Navigation Library (OGNL) Injection
Description: Injecting malicious data into EL or OGNL expressions.
Example: Injecting
${"".getClass().forName("java.lang.Runtime").getRuntime().exec("calc")}
to execute a command.
Detection and Prevention
Source Code Review: Manual review of source code to identify potential injection points.
Automated Testing: Using automated tools to test all parameters, headers, URLs, cookies, JSON, SOAP, and XML inputs for injection vulnerabilities.
Static Application Security Testing (SAST): Analyzes source code for vulnerabilities without executing the application.
Dynamic Application Security Testing (DAST): Tests the application in runtime to identify vulnerabilities by simulating attacks.
Interactive Application Security Testing (IAST): Combines SAST and DAST techniques to analyze running applications.
Mitigation Strategies
Input Validation and Sanitization
Description: Validate and sanitize all user inputs to ensure they conform to expected formats and contain no malicious content.
Example: Use a whitelist of allowed characters for input fields.
Parameterized Queries and Prepared Statements
Description: Use parameterized queries and prepared statements to separate data from code.
Example: Use
PreparedStatement
in Java to execute SQL queries:
Context-Aware Escaping
Description: Apply escaping based on the context in which the data is used (e.g., SQL, HTML, XML).
Example: Use appropriate escaping libraries to sanitize user input before using it in different contexts.
Least Privilege Principle
Description: Limit the privileges of application accounts and use read-only database accounts where possible.
Example: Configure the application to connect to the database with a user account that has minimal privileges necessary for its operation.
Security Testing
Description: Incorporate regular security testing into the development lifecycle using SAST, DAST, and IAST tools.
Example: Integrate a DAST tool into the CI/CD pipeline to automatically scan for injection vulnerabilities during the build process.
REFERENCES
Mapped CWEs
CWE-20: Improper Input Validation
Description: The application does not validate or improperly validates input that can affect the control flow or data flow of a program.
Link: https://cwe.mitre.org/data/definitions/20.html
CWE-89: SQL Injection
Description: The application constructs SQL statements from user input, which attackers can manipulate to execute arbitrary SQL commands.
Link: https://cwe.mitre.org/data/definitions/89.html
CWE-564: SQL Injection in ORM
Description: An application using an Object-Relational Mapping (ORM) tool is vulnerable to SQL injection.
Link: https://cwe.mitre.org/data/definitions/564.html
CWE-77: Command Injection
Description: The application constructs operating system commands using user input, which attackers can manipulate to execute arbitrary commands.
Link: https://cwe.mitre.org/data/definitions/77.html
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Description: The application constructs OS commands using user input without proper neutralization of special characters.
Link: https://cwe.mitre.org/data/definitions/78.html
CWE-643: Improper Neutralization of Data within XPath Expressions ('XPath Injection')
Description: The application constructs XPath queries from user input, which attackers can manipulate to alter the query's behavior.
Link: https://cwe.mitre.org/data/definitions/643.html
CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
Description: The application uses user input in a way that it can affect downstream components, such as databases or command interpreters.
Link: https://cwe.mitre.org/data/definitions/74.html
CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
Description: The application constructs LDAP queries from user input, which attackers can manipulate to alter the query's behavior.
Link: https://cwe.mitre.org/data/definitions/90.html
CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')
Description: The application constructs Expression Language (EL) statements from user input, which attackers can manipulate to execute arbitrary code.
Link: https://cwe.mitre.org/data/definitions/917.html
CWE-352: Cross-Site Request Forgery (CSRF)
Description: The application allows attackers to perform actions on behalf of authenticated users without their consent.
Link: https://cwe.mitre.org/data/definitions/352.html
Last updated