Which type of attack can be used to execute arbitrary commands in a database?
In software development, security is paramount, but developers tend to forget to test their applications for vulnerabilities. One such vulnerability is command injection. This blog post aims to help developers, testers, and users understand, detect, and avoid command injection vulnerabilities in their applications. Show
What Is Command Injection?Command injection is a cyber attack wherein an attacker takes control of the host operating system by injecting code into a vulnerable application through a command. This code is executed regardless of any security mechanism and can be used to steal data, crash systems, damage databases, and even install malware that can be used later. Attackers can access a target system through command injection by using various methods and techniques. The attacker runs arbitrary commands in the system shell of the web server that can compromise all relevant data. Next let's look at how it differs from another widespread attack: code injection. How Is Command Injection Different from Code Injection?Code injection is an attack that includes the injection of code executed by an application. This usually involves the attacker sending the target application a request (often through a browser) that includes the injection code. A lack of sufficient input/output data validation allows it to happen. A command injection occurs when an attacker alters the application's default function for executing system commands. No new code is added. Command injection can lead to various breaches, such as downloading tools, stealing and changing credentials, or deleting files that depend on the privileges. Vulnerabilities That Can Lead to Command InjectionCommand injection occurs when an application's vulnerability allows an attacker to extend the application's default functionality by executing system commands. However, executing commands through the application's code is also possible. This is also called code execution. In this case, the goal is to run arbitrary commands through it. Now let's look at some of the flaws that might lead to command execution via command injection or code execution. 1. Arbitrary Command InjectionArbitrary command injection occurs when an application is vulnerable to a malicious command entered by a user that has the potential to execute any command directly on the underlying host. The attacker may be able to gain access to sensitive data using this type of attack. 2. Arbitrary File UploadsWhen users are allowed to upload files with arbitrary file extensions, command injection can occur when these files are stored in the web root. 3. Server-Side Template InjectionServer-side template injection is possible when web applications employ server-side templating technologies like Jinja2 or Twig to produce dynamic HTML responses. When user input is integrated with a template in an unsafe manner, SSTI vulnerabilities exist, resulting in remote code execution on the server. 4. Insecure SerializationOther vulnerabilities, such as improper deserialization, can be used to execute arbitrary commands in addition to the conventional command injection vulnerabilities. This is because the server-side code deserializes the user-supplied serialized material without verifying it. Although this is often called the insecure serialization class of vulnerabilities, if the target program fits specific conditions, such as having proper gadgets in the classpath, it eventually leads to command injection. Understanding Command Injection with an ExampleIn the code below, we use a direct OS command “touch” to make changes to the file, which is not secure. A hacker can exploit this.
The best way to prevent command injection is to use parameterized functions like write() that enforce the separation between the arguments instead of eval, process, etc. Safe APIs are not used in the above code. Developers should use safe APIs for reading and writing files here instead of eval(), touch, or any other type of direct OS commands and evaluation. And if there are no safe APIs available, sanitize all inputs and remove characters that may be interpreted, such as ‘;’, etc. Here is how you can prevent command injection using JavaScript.
We use open sync and close sync instead of a direct OS command, touch. Types of Command InjectionCommand Injection is of two types. One can be predicted by directly looking at the response, and the other can't. Let's take a broader look at the two command injection types with examples. 1. Result-Based Command InjectionIn result-based command injection, the result shows the command's output directly, which means the user can directly see the outcome of the arbitrary command that he wrote in the response.
|