Sankalp's blog
What are Injections Attack in System Design?(Part-1)

Photo by Markus Spiske on Unsplash

What are Injections Attack in System Design?(Part-1)

Exploring the World of Injections: From Basics to Advanced Practices

SANKALP HARITASH's photo
SANKALP HARITASH
·

11 min read

Injection attack is a type of security vulnerability that occurs when an attacker is able to inject or insert malicious code into a data input or command that is processed by a system. These attacks take advantage of improper handling of user inputs and can occur in various contexts, targeting different technologies and components of a system. The injected code is then executed by the system, potentially leading to unauthorized access, data manipulation, or other malicious activities.

The term "injection" is used because the attacker injects (inserts) malicious code into a legitimate data stream or command. Injection attacks can affect a wide range of applications and systems, and they often exploit weaknesses in input validation and insufficient sanitization of user inputs.

  1. SQL Injection:

  • SQL Injection (SQLi) is a type of attack where an attacker manipulates user inputs to inject malicious SQL code into a query executed by a database. If a web application does not properly validate or sanitize user inputs before incorporating them into SQL statements, an attacker can exploit this vulnerability to execute arbitrary SQL commands.

Example to illustrate SQL injection.

Suppose you have a web application with a login page that uses the following SQL query to authenticate users:

SELECT * FROM users WHERE username = 'input_username' AND password = 'input_password';

Here, 'input_username' and 'input_password' are placeholders for user inputs. In a secure implementation, these inputs should be properly sanitized or validated before being used in the SQL query.

Vulnerable Code (Without Input Validation):

// PHP code handling user login
$username = $_POST['username'];
$password = $_POST['password'];

$sql = "SELECT * FROM users WHERE username = '$username' AND password = 
'$password'";
$result = mysqli_query($connection, $sql);

if ($row = mysqli_fetch_assoc($result)) {
    // Authentication successful
    echo "Welcome, " . $row['username'] . "!";
} else {
    // Authentication failed
    echo "Invalid username or password";
}

In this vulnerable code, the user inputs ($username and $password) are directly concatenated into the SQL query without proper validation.

SQL Injection Attack**:**

Suppose an attacker enters the following input in the username field:

' OR '1'='1'; --

The modified SQL query becomes:

SELECT * FROM users WHERE username = '' OR '1'='1'; --' AND password = 'input_password';

In this case, the condition '1'='1' always evaluates to true, effectively bypassing the password check. The double hyphen (--) is used to comment out the rest of the original query, preventing any errors.

As a result, the attacker can successfully log in without providing a valid password.

Prevention:

To prevent SQL injection, it's crucial to use parameterized queries or prepared statements, which separate SQL code from user inputs. Here's an example of the secure code:

// Secure PHP code with prepared statements
$username = $_POST['username'];
$password = $_POST['password'];

$sql = "SELECT * FROM users WHERE username = ? AND password = ?";
$stmt = mysqli_prepare($connection, $sql);

mysqli_stmt_bind_param($stmt, "ss", $username, $password);
mysqli_stmt_execute($stmt);

$result = mysqli_stmt_get_result($stmt);

if ($row = mysqli_fetch_assoc($result)) {
    // Authentication successful
    echo "Welcome, " . $row['username'] . "!";
} else {
    // Authentication failed
    echo "Invalid username or password";
}

mysqli_stmt_close($stmt);
mysqli_close($connection);

Using prepared statements or parameterized queries ensures that user inputs are treated as data, not as executable code, thus preventing SQL injection attacks.

  1. MongoDB Injection (NoSQLi):

MongoDB Injection, also known as NoSQL Injection (NoSQLi), is a type of attack specific to MongoDB databases, where an attacker manipulates user inputs to inject malicious code into a MongoDB query. NoSQL databases like MongoDB use a different data model and query language compared to traditional SQL databases. MongoDB stores data in BSON (Binary JSON) format and uses a document-oriented query language.

How MongoDB Injection Occurs:

  1. User Input in Queries:

    • MongoDB queries are often constructed using JSON-like syntax and include key-value pairs to match documents in the database.

    • If a web application incorporates user inputs directly into MongoDB queries without proper validation or sanitization, it can introduce vulnerabilities.

  2. Attacker Manipulation:

    • An attacker can exploit MongoDB Injection by manipulating user inputs to inject malicious MongoDB query operators or constructs.

    • MongoDB query operators, such as $gt (greater than), $lt (less than), and $regex (regular expression), can be abused by an attacker to modify the query's logic.

Example of MongoDB Injection:

Consider a simple login scenario in a Node.js application using MongoDB:

const express = require('express');
const bodyParser = require('body-parser');
const MongoClient = require('mongodb').MongoClient;

const app = express();
const port = 3000;

app.use(bodyParser.urlencoded({ extended: true }));

app.post('/login', async (req, res) => {
  const username = req.body.username;
  const password = req.body.password;

  const dbClient = await MongoClient.connect('mongodb://localhost:27017', { useNewUrlParser: true, useUnifiedTopology: true });
  const db = dbClient.db('mydatabase');

  // Vulnerable code: directly using user inputs in the MongoDB query
  const query = { username: username, password: password };
  const result = await db.collection('users').findOne(query);

  if (result) {
    res.send(`Welcome, ${result.username}!`);
  } else {
    res.send('Invalid username or password');
  }

  dbClient.close();
});

app.listen(port, () => {
  console.log(`Server is running on port ${port}`);
});

In this vulnerable code, an attacker could manipulate the input values to perform malicious actions. For example, an attacker might enter the following values for the username and password:

{
  "username": { "$gt": "" },
  "password": { "$gt": "" }
}

In this case, the query would become:

{
  "username": { "$gt": "" },
  "password": { "$gt": "" }
}

This MongoDB query could potentially match all documents in the 'users' collection, allowing unauthorized access.

Prevention of MongoDB Injection:

To prevent MongoDB Injection, it's crucial to follow best practices for handling user inputs:

  1. Use Parameterized Queries or Object Notation:

    • Avoid directly concatenating user inputs into MongoDB queries.

    • Instead, use parameterized queries or object notation to separate the query structure from user inputs.

  2. Validate and Sanitize User Inputs:

    • Validate and sanitize user inputs to ensure they conform to expected data types and formats.

    • Apply input validation on both the client and server sides.

  3. Use ObjectID for Identifiers:

    • If possible, use MongoDB's ObjectID for document identifiers to prevent injection attacks related to identifier manipulation.

  4. Implement Least Privilege Principle:

    • Limit user permissions to only the necessary operations and collections within the MongoDB database.

  5. Regularly Update and Patch:

    • Keep MongoDB and related libraries up to date with the latest security patches.

By following these best practices, developers can significantly reduce the risk of MongoDB Injection vulnerabilities in their applications. Regular security audits and testing are also essential to identify and address potential security issues.

  1. JavaScript injection:

JavaScript injection allows attackers to insert malicious scripts into web pages viewed by other users. This can happen in various ways, but the most common method is through exploiting vulnerabilities in web applications that fail to properly sanitize user-generated content.

JavaScript injection, often associated with Cross-Site Scripting (XSS), is a vulnerability where an attacker injects malicious JavaScript code into a web application, which is then executed in the browser of a user who visits the compromised site. This vulnerability exploits the fact that web applications display content to users without properly validating or encoding it.

How JavaScript Injection Occurs:

  1. User Input Handling: A web application accepts user input through forms, URL parameters, or any input field and dynamically inserts that input into its web pages.

  2. Lack of Sanitization: If the application does not properly sanitize the user input, an attacker can insert JavaScript code into these fields. When the input is displayed back in the web pages, the browser will execute the malicious JavaScript.

  3. Execution in Victim's Browser: The injected script runs within the context of the victim’s browser, under the privileges of the web application, potentially leading to data theft, session hijacking, defacement of the website, and other malicious activities.

Example of JavaScript Injection:

Consider a simple guestbook application where users can leave comments, and these comments are displayed to anyone visiting the page. If the application inserts comments directly into its HTML without proper sanitization, it's vulnerable to JavaScript injection.

Vulnerable Code Example:

<div>
  User comment: <span id="userComment"></span>
</div>

<script>
  // Imagine this data comes from user input
  let userComment = '<script>alert("This is an XSS attack!")</script>';

  // Vulnerably inserting user input directly into the DOM
  document.getElementById('userComment').innerHTML = userComment;
</script>

Types of XSS Attacks:

  1. Stored XSS: The malicious script is permanently stored on the target server (e.g., in a database), and when the vulnerable page is viewed, the script is executed. This is particularly dangerous because it can affect many users.

  2. Reflected XSS: The malicious script is reflected off the web server, such as in an error message, search result, or any response that includes some or all of the input sent to the server as part of the request. Reflected attacks are delivered to victims via another route, such as in an email message or a third-party website.

  3. DOM-based XSS: The vulnerability exists in the client-side code rather than the server-side code. The attacker manipulates the Document Object Model (DOM) of the web page, causing the client-side script to execute differently.

Deep Dive into Mitigation Techniques:

  1. Input Sanitization and Validation

  • Context-Aware Sanitization: Understand the context in which data is being inserted and sanitize accordingly. HTML content, JavaScript contexts, URL parameters, and CSS blocks all require different sanitization rules.

  • Whitelisting vs. Blacklisting: Favor whitelisting allowable content over blacklisting forbidden content. Whitelisting ensures only known-safe input is accepted, which is more secure than trying to anticipate all possible malicious inputs.

  1. Output Encoding

  • Escape Dynamically Generated Content: Before inserting untrusted data into HTML, JavaScript, CSS, or anywhere in your webpage, ensure it is encoded. For example, using HTML entities encoding to convert < into &lt; and > into &gt; prevents tags from being interpreted as HTML or JavaScript.

  • Safe APIs: Utilize frameworks and libraries that automatically escape outputs, such as ReactJS, which escapes values inserted into the DOM by default.

  1. Content Security Policy (CSP)

  • Restrict Sources: CSP allows you to specify which domains can serve executable scripts, preventing the browser from loading malicious resources.

  • Inline Script Protections: CSP can be used to disallow inline scripts, making it harder for XSS payloads to execute.

  • Report-Only Mode: Initially deploying CSP in report-only mode can help in understanding its impact on your site without breaking functionality, allowing for a smoother transition to enforcing CSP.

  1. Frameworks and Libraries

  • Automatic Escaping: Use modern web frameworks that automatically escape output, such as Angular, React, and Vue.js. These frameworks have built-in mechanisms to prevent XSS by escaping strings inserted into the HTML.

  • Sanitization Libraries: For cases where you need to allow some HTML content (like a rich text editor), use a library designed to sanitize HTML content by stripping out all unwanted JavaScript.

  1. Regular Auditing and Testing

  • Penetration Testing: Regularly test your web applications using both automated tools and manual penetration testing to identify and fix vulnerabilities.

  • Code Review: Conduct regular code reviews focusing on security, especially in parts of the application that handle user input, generate output, or manipulate the DOM.

  • Security Training: Educate developers about the importance of security, common vulnerabilities like XSS, and best practices for preventing them.

By integrating these practices into the development lifecycle, organizations can significantly reduce the risk of JavaScript injection attacks. It's also important to stay informed about the latest security threats and mitigation strategies, as web security is a constantly evolving field.

  1. Command Injection:

Command Injection is a security vulnerability that allows an attacker to execute arbitrary commands on a host operating system (OS) through a vulnerable application. This type of attack is possible when an application, which takes user input, uses this input unsanitized in a system command. By injecting malicious commands into the input fields, attackers can achieve unauthorized access to the system's data and operations, potentially compromising the entire system.

How Command Injection Occurs

  1. Vulnerable Application: The application does not properly validate, sanitize, or escape user inputs before passing them to system commands.

  2. Attacker Exploits Vulnerability: The attacker crafts input containing malicious commands or additions to existing commands.

  3. Execution of Malicious Commands: The application executes the command along with the malicious input, resulting in unauthorized actions on the host system.

Example of Command Injection

Consider a web application that allows users to ping IP addresses or domain names to check their availability. The application takes user input and passes it to a system command like ping.

Vulnerable PHP Code Example:

<?php
$target = $_GET['target'];
system("ping -c 4 " . $target);
?>

An attacker can exploit this by submitting a request like:

<http://example.com/ping?target=127.0.0.1>; cat /etc/passwd

In this case, after the ping command runs, the cat /etc/passwd command would also be executed, potentially revealing sensitive information about the system's users.

Prevention of Command Injection

  • Input Validation: Strictly validate user inputs to allow only expected values. Use regular expressions to enforce patterns and validate against a list of allowed values.

  • Input Sanitization: Sanitize inputs by removing or encoding potentially dangerous characters, such as semicolons (;) and shell metacharacters.

  • Use of Safe APIs: Where possible, use safe API alternatives that do not involve passing user input directly to the shell. For example, use language-specific functions for file handling and data fetching instead of system commands.

  • Least Privilege: Run applications with the least privilege necessary, limiting what can be done if an attacker successfully performs a command injection.

  • Escaping Shell Metacharacters: When passing user input to shell commands, ensure that shell metacharacters are escaped or quoted correctly. Some programming languages provide functions to escape shell arguments safely.

  • Use Parameterized Commands: For commands that must include user input, use parameterized commands or stored procedures that treat user input as data, not executable code.

  • Security Tools and Auditing: Regularly use static code analysis tools, dynamic analysis tools (such as web application scanners), and manual code review to identify and fix potential vulnerabilities. Implement logging and monitoring to detect and respond to suspicious activities.

By applying these measures, developers and administrators can significantly reduce the risk of command injection attacks against their applications and systems, protecting sensitive data and maintaining the integrity and availability of their services.

Summary:

Injection attacks, such as SQL, NoSQL, JavaScript, Command, LDAP, and XPath Injections, exploit vulnerabilities in handling user input, leading to unauthorized system access or data manipulation. Prevention measures include input validation, parameterized queries, API usage, least privilege access, strong authentication, and regular security audits to safeguard against these attacks.

System DesignSystem ArchitectureSQLJavaScriptMongoDBTypeScriptReactFrontend DevelopmentBeginner DevelopersFull Stack Development