Active Topics Memberlist Calendar Search Help | |
Register Login |
One Stop Testing Forum : Types Of Software Testing @ OneStopTesting : Security Testing @ OneStopTesting |
Topic: Securty: Injection Flaws Details.. |
|
Author | Message |
tanushree
Senior Member Joined: 04Apr2007 Online Status: Offline Posts: 2160 |
Topic: Securty: Injection Flaws Details.. Posted: 26Mar2008 at 3:55am |
Introduction
Injection flaws, particularly SQL injection, are common in web applications. There are many types of injections: SQL, LDAP, XPath, XSLT, HTML, XML, OS command injection and many more. Injection occurs when user-supplied data is sent to an interpreter as part of a command or query. Attackers trick the interpreter into executing unintended commands via supplying specially crafted data. Injection flaws allow attackers to create, read, update, or delete any arbitrary data available to the application. In the worst case scenario, these flaws allow an attacker to completely compromise the application and the underlying systems, even bypassing deeply nested firewalled environments. Environments AffectedAll web application frameworks that use interpreters or invoke other processes are vulnerable to injection attacks. This includes any components of the framework, that might use back-end interpreters. VulnerabilityIf user input is passed into an interpreter without validation or encoding, the application is vulnerable. Check if user input is supplied to dynamic queries, such as: PHP: Java: Verifying SecurityThe goal is to verify that user data cannot modify the meaning of commands and queries sent to any of the interpreters invoked by the application. Automated approaches: Many vulnerability scanning tools search for injection problems, particularly SQL injection. Static analysis tools that search for uses of unsafe interpreter APIs are useful, but frequently cannot verify that appropriate validation or encoding might be in place to protect against the vulnerability. If the application catches 501 / 500 internal server errors, or detailed database errors, it can significantly hamper automated tools, but the code may still be at risk. Automated tools may be able to detect LDAP / XML injections / XPath injections. Manual approaches: The most efficient and accurate approach is to check the code that invokes interpreters. The reviewer should verify the use of a safe API or that appropriate validation and/or encoding has occurred. Testing can be extremely time-consuming and with low coverage and spotty because the attack surface of most applications is so large. ProtectionAvoid the use of interpreters when possible. If you must invoke an interpreter, the key method to avoid injections is the use of safe APIs, such as strongly typed parameterized queries and object relational mapping (ORM) libraries. These interfaces handle all data escaping, or do not require escaping. Note that while safe interfaces solve the problem, validation is still recommended in order to detect attacks. Using interpreters is dangerous, so it's worth it to take extra care, such as the following:
Post Resume: Click here to Upload your Resume & Apply for Jobs |
|
IP Logged | |
Forum Jump |
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot delete your posts in this forum You cannot edit your posts in this forum You cannot create polls in this forum You cannot vote in polls in this forum |
© Vyom Technosoft Pvt. Ltd. All Rights Reserved.