Name |
Argument Injection |
|
Likelyhood of attack |
Typical severity |
High |
High |
|
Summary |
An attacker changes the behavior or state of a targeted application through injecting data or command syntax through the targets use of non-validated and non-filtered arguments of exposed services or methods. |
Prerequisites |
Target software fails to strip all user-supplied input of any content that could cause the shell to perform unexpected actions. Software must allow for unvalidated or unfiltered input to be executed on operating system shell, and, optionally, the system configuration must allow for output to be sent back to client. |
Execution Flow |
Step |
Phase |
Description |
Techniques |
1 |
Explore |
[Discovery of potential injection vectors] Using an automated tool or manual discovery, the attacker identifies services or methods with arguments that could potentially be used as injection vectors (OS, API, SQL procedures, etc.). |
- Manually cover the application and record the possible places where arguments could be passed into external systems.
- Use a spider, for web applications, to create a list of URLs and associated inputs.
|
2 |
Experiment |
[1. Attempt variations on argument content] Possibly using an automated tool, the attacker will perform injection variations of the arguments. |
- Use a very large list of probe strings in order to detect if there is a positive result, and, what type of system has been targeted (if obscure).
- Use a proxy tool to record results, error messages and/or log if accessible.
|
3 |
Exploit |
[Abuse of the application] The attacker injects specific syntax into a particular argument in order to generate a specific malicious effect in the targeted application. |
- Manually inject specific payload into targeted argument.
|
|
Solutions | Design: Do not program input values directly on command shell, instead treat user input as guilty until proven innocent. Build a function that takes user input and converts it to applications specific types and values, stripping or filtering out all unauthorized commands and characters in the process. Design: Limit program privileges, so if metacharacters or other methods circumvent program input validation routines and shell access is attained then it is not running under a privileged account. chroot jails create a sandbox for the application to execute in, making it more difficult for an attacker to elevate privilege even in the case that a compromise has occurred. Implementation: Implement an audit log that is written to a separate host, in the event of a compromise the audit log may be able to provide evidence and details of the compromise. |
Related Weaknesses |
CWE ID
|
Description
|
CWE-74 |
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') |
CWE-78 |
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') |
CWE-146 |
Improper Neutralization of Expression/Command Delimiters |
CWE-184 |
Incomplete List of Disallowed Inputs |
CWE-185 |
Incorrect Regular Expression |
CWE-697 |
Incorrect Comparison |
CWE-713 |
OWASP Top Ten 2007 Category A2 - Injection Flaws |
|
Related CAPECS |
CAPEC ID
|
Description
|
CAPEC-137 |
An adversary manipulates the content of request parameters for the purpose of undermining the security of the target. Some parameter encodings use text characters as separators. For example, parameters in a HTTP GET message are encoded as name-value pairs separated by an ampersand (&). If an attacker can supply text strings that are used to fill in these parameters, then they can inject special characters used in the encoding scheme to add or modify parameters. For example, if user input is fed directly into an HTTP GET request and the user provides the value "myInput&new_param=myValue", then the input parameter is set to myInput, but a new parameter (new_param) is also added with a value of myValue. This can significantly change the meaning of the query that is processed by the server. Any encoding scheme where parameters are identified and separated by text characters is potentially vulnerable to this attack - the HTTP GET encoding used above is just one example. |
|