I. Background of Code Injection (cont'd)
- Application / Database Level
Nowadays, deploying web applications is a popular mean to enable users to easily search for specific data on the Internet or intranet. For example, a university may create a web portal that allows its students to search their course information and academic records.
Web application injection attack aims at exploiting a website through entering improper user-supplied data. Such attacks usually involve injection of malicious commands via the input data submitted by the client, which is later passed to the server to affect the execution of predefined queries.
A successful web application injection exploit can read sensitive data from the database, modify database data, and execute administrative operations within the database (e.g. shutdown the database management system (DBMS)). Two common injection techniques, SQL injection and LDAP injection, both fall into this category.
- OS Level
Some shell applications would base on the user-supplied inputs to select which program to run, which commands to use as well as which arguments for the program. Any web interface that does not properly sanitise the input is vulnerable to this exploit.
With the ability to execute OS commands, the attackers can inject unexpected and dangerous commands, upload malicious programs or even obtain passwords directly from the operating system. The problem would be even worse if the compromised process fails to follow the principle of least privilege, which allows the attacker's commands to be executed with special system privileges that increase the amount of damage.
A recent survey on security breaches revealed that SQL injection is the most prevalent means of attacking front-end Web applications and back-end databases to compromise data. In February 2010, an analysis of the Web Hacking Incidents Database (WHID) shows SQL injections as the top attack vector, making up 19 percent of all security breaches examined by WHID. Similarly, in the "Breach Report for 2010" released by 7Safe, an information security service provider, in February 2010, a whopping 60 percent of all breach incidents examined involved SQL injections.
See the article: http://www.darkreading.com/database_security/security/app-security/showArticle.jhtml?articleID=223100129