An injection attack can be used to add or remove information from a data stream. In this video, you’ll learn about SQL injection, XML injection, DLL injection, and more.
<< Previous Video: Cross-site Scripting Next: Buffer Overflows >>
A code injection attack is when the attacker puts their own code into an existing data stream. This is often enabled because of bad programming with an application. An application shouldn’t allow you to put your own code into a data stream. But, often, the code is not checked by the application, and attackers are able to exploit that vulnerability. There’s many different types of code that you can inject. You can inject HTML, or LDAP, or SQL code– and any one of those may be able to manipulate or gather information from a machine, especially if you have control over the type of code that you would put into that data stream.
One very common code injection type is a SQL injection. SQL stands for Structured Query Language– or SQL. This is a very common relational database used on many websites. If you can circumvent the web front end, then you can gain access to the data that’s in that database. Of course, the web front end should not allow these types of requests, but if the input is not validated, it’s very easy to be able to get around the application and be able to run whatever queries you would like on that database directly.
Let’s run a database injection on this intentionally vulnerable application that is found in WebGoat. You could load WebGoat on your own machine and run through your own SQL injection lesson. This particular lesson has a form, and it’s used by an employee to gain access to their own personal information. The employee name is John Smith, and this particular application has a transaction authorization number that’s used. The number in this one is 3SL99A.
The way that it would work is the employee would put their last name into the box and then put the authorization number 3SL99A. And when they click Get Department, they would gather information specific to them. But this particular web front end does not validate anything typed into the authentication number field. So we can modify this just a bit by adding an OR 1 equals 1 to the end of this, which is SQL code that basically says find everything with the authentication number 3SL99A or anything where 1 equals 1.
And, of course, 1 does equal 1, which means anything that would be true. That means we can dump the entire database contents to our screen by simply adding on just a little bit of text on the end. And if we click that button, we can now view the names, departments, and salaries for everybody in the company. There are other types of injection attacks you might see. Another one might be with XML.
XML is the Extensible Markup Language. It’s very commonly used to transfer data between two different kinds of devices, and you can perform an XML injection by sending this malformed XML off to a separate device. Obviously, a well-written application will validate that XML as it’s being put into the system. Another type of valuable data injection might be to an LDAP server. LDAP is a Lightweight Directory Access Protocol. LDAP is commonly used to store information about authentication, such as username and password, or other information about devices or users. If you’re able to inject data and gather details from that LDAP database, you may be able to gather a lot of information that you normally would not have access to.
Another type of injection is DLL injection. This is a Dynamic-Link Library. And a DLL injection is a way to inject some code into an application to have that application execute the code for us. In this DLL injection example, we have two processes– a process B, that is the attacker, and a process A, that is the victim. Process B is going to attach to that first process, allocate some memory for this DLL library, and then copy the DLL into process A. At that point, process A will execute that DLL as a new thread, running it as process A, which may give it additional rights and additional capabilities that process B would not normally have.