Injection is when user-supplied content, typically entered into a web form, is not properly checked and sanitized before being processed, enabling the attacker to insert malicious instructions into what is supposed to be data.
The classic example is SQL injection, in which the user’s input is combined with an SQL query which is submitted to the database for processing. SQL injection attacks have been implicated in some of the largest security breaches, including an attack in 2009 that obtained the details of 130 million credit and debit cards and at the time was considered by many to be the biggest case of identity theft in American history. It is a sad reflection of the state of our industry that that claim only lasted four years.
Consider the following pseudocode:
CustomerInput = request.getParameter(“id”);
Query = “SELECT * FROM accounts WHERE accountnanme='” + CustomerInput + “‘”;
The intent is that the user enter the name of the account to be queried. But if an attacker enters a string such as:
‘ or ‘1’=’1
the SQL statement passed to the database will be
SELECT * FROM accounts WHERE custID=” or ‘1’=’1′
resulting in the database returning data on all accounts, not just one.
The defense is to never trust any input, carefully check to ensure it contains only valid characters and data, and if it contains any special characters that might be interpreted by the database (or some other downstream component), then those characters must be deleted or properly escaped so they are not interpreted as commands.
Another simple example is a web form that enables the user to enter an IP address to be passed to a shell script to check using ping. Imagine a shell script that does no checking of the user’s input and simply runs the command:
ping -c 10 ${IPAddr}
If the user enters
8.8.8.8; cat /etc/passwd
not only will they get the ping results for Google’s DNS service, they will get a list of the password files containing all user names.
In this case the user’s input ought to have been checked to ensure it only contained a valid IP address.