Comments on: All Injection Attack Vectors http://www.elharo.com/blog/software-development/web-development/2007/02/04/all-injection-attack-vectors/ Ranting and Raving Mon, 06 Oct 2008 19:23:12 +0000 http://wordpress.org/?v=2.6.2 By: H M Boethius http://www.elharo.com/blog/software-development/web-development/2007/02/04/all-injection-attack-vectors/#comment-42670 H M Boethius Mon, 12 Feb 2007 02:00:44 +0000 http://www.elharo.com/blog/software-development/web-development/2007/02/04/all-injection-attack-vectors/#comment-42670 excuse me but what is this "injection attack"? Are you writing a book to define this meaning? Are you seeking dialogue to ascertain the popularity of this phrase? Is there anything novel about this phrase that is informative? Is there a point to this inventention? Are you teaching so that you may learn? Let me see, now. What is your game, that you should write about a game? Taxonomy? Lepidoptary? excuse me but what is this “injection attack”? Are you writing a book to define this meaning? Are you seeking dialogue to ascertain the popularity of this phrase? Is there anything novel about this phrase that is informative? Is there a point to this inventention? Are you teaching so that you may learn?

Let me see, now. What is your game, that you should write about a game? Taxonomy? Lepidoptary?

]]> By: James Orenchak http://www.elharo.com/blog/software-development/web-development/2007/02/04/all-injection-attack-vectors/#comment-42582 James Orenchak Sun, 11 Feb 2007 20:28:16 +0000 http://www.elharo.com/blog/software-development/web-development/2007/02/04/all-injection-attack-vectors/#comment-42582 If you really want to compile a list, you could add SSI ( Server side includes) injection, PHP injection, Shell injection, ASP injection, Include file injection, command injection and CRLF injection. Tommorow there my be a new web technology, followed the next day by a new type of injection targeted at that technology. What Yan Ivnitskiy wrote over at http://isisblogs.poly.edu/2007/02/08/all-injection-attack-vectors/, especially the sentance "In reality, in all of these cases we are simply mixing the data with the control channel and assigning each variation a different name.", is true. I would suggest abandoning the idea of making a list of all injection attack vectors and simply saying that injection of malicious scripts, SQL statements, XML content and invalid data, usually through use of a form field that the attacker knows will be inserted into the application to cause a potential failure or denial of the service, requires input validation. Bye the way, implementing the security pattern named "Intercepting Validator Pattern" is an excellent way of validating input. If you really want to compile a list, you could add SSI ( Server side includes) injection, PHP injection, Shell injection, ASP injection, Include file injection, command injection and CRLF injection. Tommorow there my be a new web technology, followed the next day by a new type of injection targeted at that technology.

What Yan Ivnitskiy wrote over at http://isisblogs.poly.edu/2007/02/08/all-injection-attack-vectors/, especially the sentance “In reality, in all of these cases we are simply mixing the data with the control channel and assigning each variation a different name.”, is true.

I would suggest abandoning the idea of making a list of all injection attack vectors and simply saying that injection of malicious scripts, SQL statements, XML content and invalid data, usually through use of a form field that the attacker knows will be inserted into the application to cause a potential failure or denial of the service, requires input validation. Bye the way, implementing the security pattern named “Intercepting Validator Pattern” is an excellent way of validating input.

]]> By: The Cafes » My Next Book http://www.elharo.com/blog/software-development/web-development/2007/02/04/all-injection-attack-vectors/#comment-41989 The Cafes » My Next Book Fri, 09 Feb 2007 19:59:22 +0000 http://www.elharo.com/blog/software-development/web-development/2007/02/04/all-injection-attack-vectors/#comment-41989 [...] With a little luck, the book should be on store shelves sometime this summer. I’ve already posted a number of questions that arose while writing it. I’m going to be posting a lot more over the next couple of months. I also plan to post many small excerpts from the book for your perusal and comment. I hope you’ll help out by commenting on, caviling, and correcting the draft pieces I’ll be posting here. [...] [...] With a little luck, the book should be on store shelves sometime this summer. I’ve already posted a number of questions that arose while writing it. I’m going to be posting a lot more over the next couple of months. I also plan to post many small excerpts from the book for your perusal and comment. I hope you’ll help out by commenting on, caviling, and correcting the draft pieces I’ll be posting here. [...]

]]> By: “All Injection Attack Vectors” at ISIS Blogs http://www.elharo.com/blog/software-development/web-development/2007/02/04/all-injection-attack-vectors/#comment-41476 “All Injection Attack Vectors” at ISIS Blogs Thu, 08 Feb 2007 04:59:28 +0000 http://www.elharo.com/blog/software-development/web-development/2007/02/04/all-injection-attack-vectors/#comment-41476 [...] Over at Mokka mit Schlag Elliotte Rusty Harold (he teaches Java/XML at Poly) is asking whether SQL is the only language with injection attack vector? What about XML/ XPath, JSON, etc. Is there a comprehensive attack-tree for injection attacks? See if you can answer some of these questions. Share and Enjoy: These icons link to social bookmarking sites where readers can share and discover new web pages. [...] [...] Over at Mokka mit Schlag Elliotte Rusty Harold (he teaches Java/XML at Poly) is asking whether SQL is the only language with injection attack vector? What about XML/ XPath, JSON, etc. Is there a comprehensive attack-tree for injection attacks? See if you can answer some of these questions. Share and Enjoy: These icons link to social bookmarking sites where readers can share and discover new web pages. [...]

]]> By: Ryan Cox http://www.elharo.com/blog/software-development/web-development/2007/02/04/all-injection-attack-vectors/#comment-40501 Ryan Cox Mon, 05 Feb 2007 02:01:50 +0000 http://www.elharo.com/blog/software-development/web-development/2007/02/04/all-injection-attack-vectors/#comment-40501 XML Entity Exploits : http://lists.xml.org/archives/xml-dev/200210/msg01735.html XML Entity Exploits : http://lists.xml.org/archives/xml-dev/200210/msg01735.html

]]> By: John Cowan http://www.elharo.com/blog/software-development/web-development/2007/02/04/all-injection-attack-vectors/#comment-40390 John Cowan Sun, 04 Feb 2007 18:11:50 +0000 http://www.elharo.com/blog/software-development/web-development/2007/02/04/all-injection-attack-vectors/#comment-40390 Oops, 'u' and 'l' appear twice in the last paragraph. Oops, ‘u’ and ‘l’ appear twice in the last paragraph.

]]> By: John Cowan http://www.elharo.com/blog/software-development/web-development/2007/02/04/all-injection-attack-vectors/#comment-40389 John Cowan Sun, 04 Feb 2007 18:06:53 +0000 http://www.elharo.com/blog/software-development/web-development/2007/02/04/all-injection-attack-vectors/#comment-40389 In fact, the parseJSON method in Javascript does use eval(), but it defangs the JSON by making sure it matches the following majestic regular expression first: /^("(\\.|[^"\\\n\r])*?"|[,:{}\[\]0-9.\-+Eaeflnr-u \n\r\t])+?$/ Translated into English, that says that a JSON string is a non-empty sequence of tokens, where a token is either a string or a non-string character Strings are a sequence of items surrounded by double-quote characters, where an item is either a backslash followed by any character, or a character that isn't a backslash, newline, or return. Non-string characters, on the other hand, can only be one of the following: comma, colon, braces, brackets, digits, decimal point, minus, plus, the letters E, t, r, u, e, f, a, l, s, n, u, and l, space, tab, newline, and return. In fact, the parseJSON method in Javascript does use eval(), but it defangs the JSON by making sure it matches the following majestic regular expression first:

/^(”(\\.|[^"\\\n\r])*?”|[,:{}\[\]0-9.\-+Eaeflnr-u \n\r\t])+?$/

Translated into English, that says that a JSON string is a non-empty sequence of tokens, where a token is either a string or a non-string character

Strings are a sequence of items surrounded by double-quote characters, where an item is either a backslash followed by any character, or a character that isn’t a backslash, newline, or return.

Non-string characters, on the other hand, can only be one of the following: comma, colon, braces, brackets, digits, decimal point, minus, plus, the letters E, t, r, u, e, f, a, l, s, n, u, and l, space, tab, newline, and return.

]]> By: Martin Bravenboer http://www.elharo.com/blog/software-development/web-development/2007/02/04/all-injection-attack-vectors/#comment-40387 Martin Bravenboer Sun, 04 Feb 2007 17:57:19 +0000 http://www.elharo.com/blog/software-development/web-development/2007/02/04/all-injection-attack-vectors/#comment-40387 Shell (executed from Perl for example), XML & HTML (unescaped user input, XSS), and there are many other query languages out there, for example JDOQL, HQL, EJBQL, OQL. Virtually any program (written in any language) constructed dynamically from strings is vulnerable. See also: http://en.wikipedia.org/wiki/Code_injection Shell (executed from Perl for example), XML & HTML (unescaped user input, XSS), and there are many other query languages out there, for example JDOQL, HQL, EJBQL, OQL.

Virtually any program (written in any language) constructed dynamically from strings is vulnerable.

See also: http://en.wikipedia.org/wiki/Code_injection

]]>