So far we learned that the web apps are increasingly complex offerings and that they frequently function as the Internet-facing interface to a variety of business-critical resources on the back end, including the networked resources. Those resources are web services, back-end web servers, mail servers and even the local resources, for an example the file systems and interfaces of the operating system. It is important to remember that any application attack that could perform the arbitrary interaction with a backend component could violate the entire access control model which is applied to the web app and allowing the unauthorized access to the sensitive data and functionality. Before we go further, check your knowledge about the cyber security tips and internet security tips for keeping yourself as safe as you can.
Injecting OS Commands
It is now well-known that the most web platforms have evolved to the point where built-in APIs exist. They perform basically any required interaction with the server’s operating system. If the APIs are properly used they can enable the developers to access the filesystem, interface with other processes, and also carry out the communications in the safe and proper manner.
Finding OS Command Injection Flaws
Sometimes the application can issue the operating system commands which contain absolutely any item of user-supplied data, also including every URL and body parameter and even every cookie. So, you need to target all of those items within every application function to perform a thorough test of the application. It is good for you to remember that any type of app development platform or web server may call out to any shell interpreter, running either on its own operating system or that of any other host. So, what is the lesson you can learn from this? It is that you should not make any assumptions about the app’s handling of metacharacters based on any knowledge of the web server’s operating system.
There are the two broad types of meta characters which may be used to inject a separate command in an existing preset command. Those are:
1.The characters ; I & and newline. They are used to batch multiple commands, doing it one after the other. These characters can also be sometimes doubled causing the different effects.
2.The backtick character which is used for the encapsulating a separate command within the data item being processed by the original command. (`) this is the backtick character.
Finding Dynamic Execution Vulnerabilities and Preventing OS Command Injection
They most commonly arise in such languages as PHP and Perl. But actually, in real life, any type of the application platform may pass user-supplied input to a script-based interpreter, and sometimes even on a different back-end server.
There is one way that is believed to be the best for preventing the OS command injection flaws from arising. The best advice is to avoid calling out directly to operating system commands.
File Inclusion Vulnerabilities
It is already well known that many scripting languages support the use of include files. That actually enables the developers to place the reusable code components into separate files and to include these within function-specific code files as and when they’re needed. That code is interpreted just if it has been inserted at the location of the include directive.
So, the PHP language is susceptible (particularly) to file inclusion vulnerabilities. And why is that so? It happens because is included functions can accept a remote file path. That’s the basis of numerous vulnerabilities in PHP apps.
The most serious attack which can be provided is by specifying the external URL as the location of the include file.
Injecting into XML Interpreters
How and when is XML used? Nowadays, it is used extensively in the web apps. It’s used both in the requests and the responses between the browser and front-end app server and in messages between back-end application components (for an example SOAP services).
It is also used to submit data from the client to the server. That is most commonly found in Ajax-based apps where asynchronous requests are used to communicate in the background. It is not less likely to find it in the context of browser extension components and other client-side technologies.
It allows custom entities to be defined within XML document itself. Furthermore, the XML specification also allows entities to be defined using external references. That is the value of which is fetched dynamically by the XML parser.
So, we’re coming to the most important part so it would be great for you now to be concentrated. We will take a look at the techniques which may allow various attacks to be performed.
1.Let’s say that the attacker is using the app such as a proxy. He retrieves the sensitive content from any web servers that the certain app can reach. It also includes those that are running internally within the organization and set on private, unroutable address space.
2.The second case is that the attacker can exploit the vulnerability on backend web apps, provided that these can be exploited through the URL.
3.In the third case, imagine an attacker testing for open ports on back-end systems by cycling through large numbers of IP addresses and port numbers.
How can we prevent the SOAP injection? You can do it by employing boundary validation filters at any point where the user-supplied data is inserted into a SOAP message. That refers both to the data and the user.
Injecting into Mail Services
There are the many apps which contain a facility for the users to submit messages through the application. For an example such as to report a problem to support personnel or to provide a feedback about some website. It is usually implemented by interfacing with a mail or SMTP server. So, if the attacker can submit any suitable crafted input that is not filtered or sanitized, he may be able to inject arbitrary SMTP commands into the conversation. These vulnerabilities are often exploited by spammers who actually scan the Internet for vulnerable mail forms and use these to generate the large volumes of nuisance e-mail.
Preventing SMTP Injection
Let’s take a look at what is the most important to do here. Any item must be validated as strictly as possible, given the purpose for which it is being used:
1.email addresses-they should be checked regularly against a suitable regular expression (reject the newline characters!).
2.What about the message subject? It should not contain any newline characters. It also may be limited to a suitable length.
3.The line that contains just a single dot shouldn’t be allowed if the content of the message is being directly used in SMTP conversation.
Hope that we were clear enough and that you have learned so much today. Those are the things that every person who is in the technology world cannot miss. So, we’ve today examined a wide range of attacks which are targeting backend app components and the practical steps you can take to identify and exploit them. To understand this all is not easy, and to be confident that you have uncovered the backend injection flaws needs time and patience. The more you read and the more you learn, the more you will understand!