CAPEC-6 - Argument Injection

An attacker changes the behavior or state of a targeted application through injecting data or command syntax through the targets use of non-validated and non-filtered arguments of exposed services or methods.

Severity

Likelihood

Confidentiality

Integrity

Availability

  • Attack Methods 1
  • Injection
  • Purposes 1
  • Penetration
  • Scopes 3
  • Gain privileges / assume identity
  • Authorization
  • Access_Control
  • Confidentiality
  • Modify application data
  • Integrity
  • Read application data
  • Confidentiality

Medium level: The attacker has to identify injection vector, identify the operating system-specific commands, and optionally collect the output.

Target software fails to strip all user-supplied input of any content that could cause the shell to perform unexpected actions.

Software must allow for unvalidated or unfiltered input to be executed on operating system shell, and, optionally, the system configuration must allow for output to be sent back to client.

Ability to communicate synchronously or asynchronously with server. Optionally, ability to capture output directly through synchronous communication or other method such as FTP.

Never Use Input as Part of a Directive to any Internal Component

Step 1 - Discovery of potential injection vectors

Using an automated tool or manual discovery, the attacker identifies services or methods with arguments that could potentially be used as injection vectors (OS, API, SQL procedures, etc.)..

Tecnique ID: 1 - Environment(s) env-All

Manually cover the application and record the possible places where arguments could be passed into external systems.

Tecnique ID: 2 - Environment(s) env-All

Use a spider, for web applications, to create a list of URLs and associated inputs.

Indicator ID: 1 - Environment(s) env-All

Type: Positive

Arguments are used by the application in exposed services or methods

Indicator ID: 2 - Environment(s) env-All

Type: Inconclusive

No parameters appear to be used.

Indicator ID: 3 - Environment(s) env-All

Type: Negative

Application does not use any inputs.


Security Control ID: 1

Type: Detective

Monitor velocity of page fetching in web logs. Humans who view a page and select a link from it will click far slower and far less regularly than tools. Tools make requests very quickly and the requests are typically spaced apart regularly (e.g. 0.8 seconds between them).

Security Control ID: 2

Type: Detective

Create links on some pages that are visually hidden from web browsers. Using iframes, images, or other HTML techniques, the links can be hidden from web browsing humans, but visible to spiders and programs. A request for the page, then, becomes a good predictor of an automated tool probing the application.

Security Control ID: 3

Type: Preventative

Use CAPTCHA to prevent the use of the application by an automated tool.

Security Control ID: 4

Type: Preventative

Actively monitor the application and either deny or redirect requests from origins that appear to be automated.


Outcome ID: 1

Type: Success

A list of parameters, arguments to modify is identified.

Outcome ID: 2

Type: Success

A list of URLs, with their corresponding parameters (POST, GET, COOKIE, etc.) is created by the attacker.



Step 1 - 1. Attempt variations on argument content

Possibly using an automated tool, the attacker will perform injection variations of the arguments..

Tecnique ID: 1 - Environment(s) env-All

Use a very large list of probe strings in order to detect if there is a positive result, and, what type of system has been targeted (if obscure).

Tecnique ID: 2 - Environment(s) env-All

Use a proxy tool to record results, error messages and/or log if accessible.

Indicator ID: 1 - Environment(s) env-All

Type: Positive

The application behaves like the injection has been a success.

Indicator ID: 2 - Environment(s) env-All

Type: Inconclusive

No result appears.


Security Control ID: 1

Type: Preventative

Actively monitor malicious inputs.

Security Control ID: 2

Type: Detective

Monitor the services and/or methods uses of the arguments.


Outcome ID: 1

Type: Failure

It is possible to monitor the application and to see that the argument has been validated.



Step 1 - Abuse of the application

The attacker injects specific syntax into a particular argument in order to generate a specific malicious effect in the targeted application..

Tecnique ID: 1 - Environment(s) env-All

Manually inject specific payload into targeted argument.

Security Control ID: 2

Type: Preventative

Actively monitor malicious inputs.

Security Control ID: 3

Type: Detective

Monitor the services and/or methods uses of the arguments.


Outcome ID: 1

Type: Success

The attacker observes desired effect.



Design: Do not program input values directly on command shell, instead treat user input as guilty until proven innocent. Build a function that takes user input and converts it to applications specific types and values, stripping or filtering out all unauthorized commands and characters in the process.

Design: Limit program privileges, so if metacharacters or other methods circumvent program input validation routines and shell access is attained then it is not running under a privileged account. chroot jails create a sandbox for the application to execute in, making it more difficult for an attacker to elevate privilege even in the case that a compromise has occurred.

Implementation: Implement an audit log that is written to a separate host, in the event of a compromise the audit log may be able to provide evidence and details of the compromise.