This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Injection Prevention Cheat Sheet"

From OWASP
Jump to: navigation, search
(Other Injection Cheatsheets)
m (g)
Line 3: Line 3:
  
 
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
 
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |
+
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |
 
Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''  
 
Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''  
<br/>
+
<br />
 
  __TOC__{{TOC hidden}}
 
  __TOC__{{TOC hidden}}
 
= Introduction =
 
= Introduction =
Line 52: Line 52:
  
 
Application developers sometimes implement operating system interactions using calls to system utilities to create and remove directories for example. Here unescaped input can lead to arbitrary OS commands being executed.
 
Application developers sometimes implement operating system interactions using calls to system utilities to create and remove directories for example. Here unescaped input can lead to arbitrary OS commands being executed.
 +
{| class="wikitable"
 +
!Issue Name
 +
!Description
 +
!How to test for the issue
 +
!How to identify the issue during code review
 +
!Remediation
 +
!Example code - Java
 +
|-
 +
|Command Injection
 +
|Appending a semicolon to the end of a URL query parameter followed by an operating system command, will execute the command. %3B is url encoded and decodes to semicolon. This is because the ; is interpreted as a command separator.
 +
Example: <nowiki>http://sensitive/something.php?dir=%3Bcat%20/etc/passwd</nowiki>
 +
 +
If the applucation responds with the output of the /etc/passwd file then you know the attack has been successful.
 +
 +
Many web application scanners can be used to test for this attack as they inject variations of command injections and test the response.
 +
 +
Equally Static Code Analysis tools check the data flow of untrusted user input into a web application and check if the data is then entered into a dangerous method which executes the user input as a command.
 +
|Appending a semicolon to the end of a URL query parameter followed by an operating system command, will execute the command. %3B is url encoded and decodes to semicolon. This is because the ; is interpreted as a command separator.
 +
Example: http://sensitive/something.php?dir=%3Bcat%20/etc/passwd
 +
 +
If the applucation responds with the output of the /etc/passwd file then you know the attack has been successful.
 +
 +
Many web application scanners can be used to test for this attack as they inject variations of command injections and test the response.
 +
 +
Equally Static Code Analysis tools check the data flow of untrusted user input into a web application and check if the data is then entered into a dangerous method which executes the user input as a command.
 +
|During code review, check if any command execute methods are called and in unvalidated user input are taken as data for that command.
 +
|If it is considered unavoidable the call to a system command incorporated with user-supplied, the following two layers of defense should be used within software in order to prevent attacks
 +
# '''Parametrization''' - If available, use structured mechanisms that automatically enforce the separation between data and command. These mechanisms can help to provide the relevant quoting, encoding.
 +
# '''Input validation''' - the values for commands and the relevant arguments should be both validated. There are different degrees of validation for the actual command and its arguments:
 +
#* When it comes to the '''commands''' used, these must be validated against a whitelist of allowed commands.
 +
#* In regards to the '''arguments''' used for these commands, they should be validated using the following options:
 +
#** Positive or “whitelist” input validation - where are the arguments allowed explicitly defined
 +
#** White list Regular Expression - where is explicitly defined a whitelist of good characters allowed and the maximum length of the string. Ensure that metacharacters like & |  ; $ > < ` \ ! and white-spaces are not part of the Regular Expression. For example, the following regular expression only allows lowercase letters and numbers, and does not contain metacharacters. The length is also being limited to 3-10 characters:
 +
  ^[a-z0-9]{3,10}$
 +
|'''''incorrect Usage'''''
 +
ProcessBuilder b = new ProcessBuilder("C:\DoStuff.exe -arg1 -arg2");
 +
In this example, the command together with the arguments are passed as a one string, making easy to manipulate that expression and inject malicious strings.
 +
 +
'''''Correct Usage'''''
 +
 +
Here is an example that starts a process with a modified working directory. The command and each of the arguments are passed separately. This make it easy to validated each term and reduces the risk to insert malicious strings.
 +
ProcessBuilder pb = new ProcessBuilder("TrustedCmd", "TrustedArg1", "TrustedArg2"); Map<String, String> env = pb.environment(); pb.directory(new File("TrustedDir")); Process p = pb.start();
 +
|}
  
 
== Network Protocols ==
 
== Network Protocols ==
Line 73: Line 116:
 
= Other Injection Cheatsheets =
 
= Other Injection Cheatsheets =
  
[[SQL_Injection_Prevention_Cheat_Sheet | SQL Injection Prevention Cheat Sheet]]<br/>
+
[[SQL_Injection_Prevention_Cheat_Sheet | SQL Injection Prevention Cheat Sheet]]<br />
[[OS_Command_Injection_Defense_Cheat_Sheet | OS Command Injection Defense Cheat Sheet]]<br/>
+
[[OS_Command_Injection_Defense_Cheat_Sheet | OS Command Injection Defense Cheat Sheet]]<br />
[[LDAP_Injection_Prevention_Cheat_Sheet | LDAP Injection Prevention Cheat Sheet]]<br/>
+
[[LDAP_Injection_Prevention_Cheat_Sheet | LDAP Injection Prevention Cheat Sheet]]<br />
 
[[Injection_Prevention_Cheat_Sheet_in_Java | Injection Prevention Cheat Sheet in Java]]
 
[[Injection_Prevention_Cheat_Sheet_in_Java | Injection Prevention Cheat Sheet in Java]]
  

Revision as of 22:56, 13 November 2017

Cheatsheets-header.jpg

Last revision (mm/dd/yy): 11/13/2017

Introduction

This article is focused on providing clear, simple, actionable guidance for preventing the entire category of Injection flaws in your applications. Injection attacks, especially SQL Injection, are unfortunately very common.

Application accessibility is a very important factor in protection and prevention of injection flaws. Only the minority of all applications within a company/enterprise are developed in house, where as most applications are from external sources. Open source applications give at least the opportunity to fix problems, but closed source applications need a different approach to injection flaws.

Injection flaws occur when an application sends untrusted data to an interpreter. Injection flaws are very prevalent, particularly in legacy code, often found in SQL queries, LDAP queries, XPath queries, OS commands, program arguments, etc. Injection flaws are easy to discover when examining code, but more difficult via testing. Scanners and fuzzers can help attackers find them.

Depending on the accessibility different actions must be taken in order to fix them. It is always the best way to fix the problem in source code itself, or even redesign some parts of the applications. But if the source code is not available or it is simply uneconomical to fix legacy software only virtual patching makes sense.

Application Types

Three classes of applications can usually be seen within a company. Those 3 types are needed to identify the actions which need to take place in order to prevent/fix injection flaws.

A1: New Application

A new web application in the design phase, or in early stage development.

A2: Productive Open Source Application

An already productive application, which can be easily adapted. A Model-View-Controller (MVC) type application is just one example of having a easily accessible application architecture.

A3: Productive Closed Source Application

A productive application which cannot or only with difficulty be modified.

Forms of Injection

There are several forms of injection targeting different technologies including SQL queries, LDAP queries, XPath queries and OS commands.

Query languages

The most famous form of injection is SQL Injection where an attacker can modify existing database queries. For more information see the SQL Injection Prevention Cheat Sheet.

But also LDAP, SOAP, XPath and REST based queries can be susceptible to injection attacks allowing for data retrieval or control bypass.

Scripting languages

All scripting languages used in web applications have a form of an eval call which receives code at runtime and executes it. If code is crafted using unvalidated and unescaped user input code injection can occur which allows an attacker to subvert application logic and eventually to gain local access.

Every time a scripting language is used, the actual implementation of the 'higher' scripting language is done using a 'lower' language like C. If the scripting language has a flaw in the data handling code 'Null Byte Injection' attack vectors can be deployed to gain access to other areas in memory, which results in a successful attack.

Operating System (OS) Commands

Application developers sometimes implement operating system interactions using calls to system utilities to create and remove directories for example. Here unescaped input can lead to arbitrary OS commands being executed.

Issue Name Description How to test for the issue How to identify the issue during code review Remediation Example code - Java
Command Injection Appending a semicolon to the end of a URL query parameter followed by an operating system command, will execute the command. %3B is url encoded and decodes to semicolon. This is because the ; is interpreted as a command separator.

Example: http://sensitive/something.php?dir=%3Bcat%20/etc/passwd

If the applucation responds with the output of the /etc/passwd file then you know the attack has been successful.

Many web application scanners can be used to test for this attack as they inject variations of command injections and test the response.

Equally Static Code Analysis tools check the data flow of untrusted user input into a web application and check if the data is then entered into a dangerous method which executes the user input as a command.

Appending a semicolon to the end of a URL query parameter followed by an operating system command, will execute the command. %3B is url encoded and decodes to semicolon. This is because the ; is interpreted as a command separator.

Example: http://sensitive/something.php?dir=%3Bcat%20/etc/passwd

If the applucation responds with the output of the /etc/passwd file then you know the attack has been successful.

Many web application scanners can be used to test for this attack as they inject variations of command injections and test the response.

Equally Static Code Analysis tools check the data flow of untrusted user input into a web application and check if the data is then entered into a dangerous method which executes the user input as a command.

During code review, check if any command execute methods are called and in unvalidated user input are taken as data for that command. If it is considered unavoidable the call to a system command incorporated with user-supplied, the following two layers of defense should be used within software in order to prevent attacks
  1. Parametrization - If available, use structured mechanisms that automatically enforce the separation between data and command. These mechanisms can help to provide the relevant quoting, encoding.
  2. Input validation - the values for commands and the relevant arguments should be both validated. There are different degrees of validation for the actual command and its arguments:
    • When it comes to the commands used, these must be validated against a whitelist of allowed commands.
    • In regards to the arguments used for these commands, they should be validated using the following options:
      • Positive or “whitelist” input validation - where are the arguments allowed explicitly defined
      • White list Regular Expression - where is explicitly defined a whitelist of good characters allowed and the maximum length of the string. Ensure that metacharacters like & |  ; $ > < ` \ ! and white-spaces are not part of the Regular Expression. For example, the following regular expression only allows lowercase letters and numbers, and does not contain metacharacters. The length is also being limited to 3-10 characters:
 ^[a-z0-9]{3,10}$ 
incorrect Usage
ProcessBuilder b = new ProcessBuilder("C:\DoStuff.exe -arg1 -arg2"); 

In this example, the command together with the arguments are passed as a one string, making easy to manipulate that expression and inject malicious strings.

Correct Usage

Here is an example that starts a process with a modified working directory. The command and each of the arguments are passed separately. This make it easy to validated each term and reduces the risk to insert malicious strings.

ProcessBuilder pb = new ProcessBuilder("TrustedCmd", "TrustedArg1", "TrustedArg2"); Map<String, String> env = pb.environment(); pb.directory(new File("TrustedDir")); Process p = pb.start();

Network Protocols

Web applications often communicate with network daemons (like SMTP, IMAP, FTP) where user input becomes part of the communication stream. Here it is possible to inject command sequences to abuse an established session.

Injection Prevention Rules

Rule #1 (Perform proper input validation):

Perform proper input validation. Positive or “whitelist” input validation with appropriate canonicalization is also recommended, but is not a complete defense as many applications require special characters in their input.

Rule #2 (Use a safe API):

The preferred option is to use a safe API which avoids the use of the interpreter entirely or provides a parameterized interface. Be careful of APIs, such as stored procedures, that are parameterized, but can still introduce injection under the hood.

Rule #3 (Contextually escape user data):

If a parameterized API is not available, you should carefully escape special characters using the specific escape syntax for that interpreter.

Other Injection Cheatsheets

SQL Injection Prevention Cheat Sheet
OS Command Injection Defense Cheat Sheet
LDAP Injection Prevention Cheat Sheet
Injection Prevention Cheat Sheet in Java

Other Cheatsheets