Injection
Questions I try to answer while testing for injection vulns and a bypass cheatsheet.
Last updated: May 4th, 2023Identifying Vulnerabilities
How do they occur?
Input vulnerabilities occur when an application fails to properly validate and sanitize user-supplied input before using it in a vulnerable manner. This can happen when the application does not have adequate input validation mechanisms or when the input is processed in an unsafe manner, allowing an attacker to inject carefully crafted malicious input.
What tech is in use?
The occurrence of input vulnerabilities are dependent on the technologies and frameworks used in the application. For example, for SQLi to be a valid attack, there needs to be a database system that processes the attackers payload and for SSTI, there needs to be a templating engine. Of course some vulnerabilities have broader requirements for occuring such as Command Injection or XSS. It's important to identify the tech in use to improve efficiency.
Where does the app take input?
- Understanding data flow
- Understanding how user-supplied data flows through the application can help trace how the input is processed, stored, and ultimately utilized allowing the attacker to identify potential points of interest that can be manipulated or where malicious data can be injected.
- Identifying vectors for attack
- By knowing where the app takes input, attackers can assess which vectors are available to them. Below I've included a table that demonstrates common vectors for different vuln types.
What preventions are in place?
Once I've identified likely vectors, I try to determine what preventions are in place. Below I talk about this process in detail. Knowing the preventions will determine the feasability/difficulty of the attack and help in developing a working PoC.
Can you escalate?
Once I have a PoC, I determine if the issue can be escalated, this usually involves a lot of research into disclosed vulns and is highly specific to the occurence of the vulnerability.
Filters
Determining Filters
- Observation, Testing and Analysis
- Interact with the application and analyze its responses: Submit various inputs (both normal and malicious) and observe how the application handles them. Look for any patterns or indications of input validation or filtering.
- Pay attention to error messages and unexpected behaviors: Examine error messages returned by the application to identify any clues about the types of input filtering in place. Note any unusual or unexpected behaviors exhibited by the application.
- Attempt simple bypasses and use the result to determine modifications necessary to a payload.
Bypassing Filters
| Bypass Attempt | Examples |
|---|---|
| Special Characters | Using single quotes, double quotes, or other special characters in user input. |
| Whitespace Manipulation | Using tabs, spaces, or line breaks to manipulate input and bypass filters. |
| Comment Characters | Using comment characters like "//" or "--" to ignore the rest of the input. |
| Case Sensitivity | Using different capitalization or mixed-case input to bypass case-insensitive filters. |
| Input Encoding | URL encoding (%20), HTML entity encoding (&), or JavaScript encoding (encodeURIComponent). |
| Double Encoding | Using URL encoding twice or HTML entity encoding twice. |
| Unicode/UTF-8 Encoding | Using overlong encoding or homoglyph substitution to manipulate character representations. |
| Obfuscation | Using character concatenation, escaping, or base64 encoding to obfuscate input. |
Table Summary for Specific Vulns
| Vulnerability | App Input Handling | Common Input Sources | Associated Technologies | Prevention | Impact |
|---|---|---|---|---|---|
| XSS (Cross-Site Scripting) | Rendering user input as HTML or JavaScript | Input fields in web forms, URL query parameters, User-generated content | HTML, JavaScript | Properly encode or sanitize user input, use output encoding functions, enable Content Security Policy (CSP), and perform input validation. | Cookie theft, session hijacking, defacement, phishing attacks, data theft. |
| SQLi (SQL Injection) | Concatenating user input into database queries | Input fields in web forms, URL query parameters, HTTP headers, Cookie values | SQL Database Management Systems (DBMS), SQL Queries | Use prepared statements or parameterized queries, input validation, and avoid dynamically constructing SQL queries with user input. | Data breaches, unauthorized access, data manipulation, information leakage. |
| SSRF (Server-Side Request Forgery) | Using user-supplied URLs to make HTTP requests to external resources | URLs for requesting external resources, Input fields for URLs or IP addresses, File uploads or inclusion mechanisms | Web applications making HTTP requests | Implement input validation and whitelist-based URL checking, restrict access to internal resources, and use network-level protections like firewalls. | Data exposure, server-side resource abuse, remote code execution. |
| File Inclusion | Including files based on user-provided paths or URLs | Input fields specifying file paths or names, URLs for including remote files | Server-side programming languages or frameworks performing file inclusion | Use whitelisting for file inclusion, validate user input, and avoid direct inclusion of user-supplied input without proper sanitization. | Arbitrary code execution, sensitive information exposure, server compromise. |
| Command Injection | Executing user input as system commands | Input fields accepting system commands, Command-line arguments, OS-specific APIs or functions | Operating systems, command execution mechanisms, executing commands on the server | Use parameterized commands, input validation, and avoid executing user input as commands without proper sanitization. | Arbitrary command execution, system compromise, data loss. |
| Server-Side Template Injection (SSTI) | Evaluating user-supplied input within server-side templates | Template files or strings, Input fields for injecting template code, Template engines or processing functions | Template engines, server-side scripting languages | Use sandboxing or secure configurations for template engines, avoid direct evaluation of user input, and implement input validation and output encoding. | Arbitrary code execution, data leakage, server compromise. |
| XML External Entity (XXE) Injection | Parsing user-provided XML input | XML input fields or documents, XML parsers or processing libraries | XML parsing libraries, XML processing technologies | Disable external entity parsing, restrict XML parsing to trusted sources, and perform input validation and sanitization. | Information disclosure, denial of service, server-side request forgery. |
| Remote Code Execution (RCE) | Executing user-supplied code or commands on the server | Input fields accepting code snippets or commands, File uploads with executable code, Interpreters or runtime environments | Server-side programming languages, execution environments | Avoid executing user input as code, implement proper input validation and sanitization, and use secure coding practices. | Arbitrary code execution, server compromise, data loss. |
| Directory Traversal/Path Traversal | Handling user-provided file or directory paths | Input fields specifying file or directory paths, URLs for accessing specific files or directories | Web servers, file systems | Use input validation, whitelist-based path checks, and ensure proper access controls are in place to prevent unauthorized access to files and directories. | Unauthorized access to sensitive files, information disclosure, server compromise. |
| Insecure Deserialization | Deserializing user-supplied serialized objects | Serialized objects or data streams, Input fields accepting serialized data | Serialization and deserialization frameworks | Avoid deserializing untrusted data, validate and sanitize serialized input, and use secure deserialization techniques such as type checking and integrity verification. | Arbitrary code execution, remote command execution, data tampering. |