Cyber Attacks (Injections)
What is it?
Injection attacks are some of the oldest, most dangerous, and well-known attacks in the world of cybersecurity. In simple terms, an injection attack happens when an attacker injects some untrusted data into an interpreter as part of a command or query. This evil data can trick the interpreter into executing unintended commands or accessing data without authorization.
Interpreter - An interpreter is a program that converts human-readable code into machine-executable code.
This widely used injection attack comes in many different flavors (MITRE mentions 12), which can be bucketed into code, command, SQL, NoSQL, LDAP, & cross-site script injections. Instead, of listing them all out here, I’ll mention two injections used most often that can cause some serious damage - SQL and XSS.
- SQL - This injection attack has been around since 1998 and is all about busting into your coveted SQL database. SQL stands for “Structured Query Language”, which is a simple language used to query databases, and the majority of websites leverage some kind of SQL database. If your website isn’t properly protected the attacker can inject a simple SQL query into the username and password fields, dumping the entire database of credentials. A simple and commonly used query to trick a database into dumping all of its credentials is - ' OR ' 1 ' = ' 1
- Cross-site scripting (XSS) - XSS injection attacks sit within your website’s code, either on the client-side (your computer) or server-side (computer serving you info). Similar to our SQL injection, in this case, our attacker is injecting “scripts”, instead of database queries.
Defending against it
Luckily, there are many ways to defend against both of these injection attacks, but one way of testing to see if your system is vulnerable to injection attacks more generally is through “fuzzing”.
SQL - Protecting against SQL injection attacks is actually pretty simple these days since it been around so long. Some common methods are…
- Using safe APIs that avoid using interpreters, “whitelisting” for certain characters, or parameterized statements that abstract away the user’s input into a previously created statement.
XSS - When protecting against XSS attacks the main goal is to separate the untrusted data (e.g. scripts) from active browser content. Some specific methods are…
- Using frameworks that automagically escape XSS by design (e.g. Ruby on Rails and React JS), escaping XSS attacks by reading the HTML output, and using contextual encoding.
Observing it in the wild
There’s a long list of famous attacks that leveraged some kind of injection, below are just a few.
- Samy MySpace Attack - Within 20 hours of its October 4, 2005 release, over one million users had run the payload injecting a statement at the bottom of every MySpace profile saying “but most of all, Samy is my hero”.
- TalkTalk Telcom - In October 2015, an SQL injection attack was used to steal the personal details of 156,959 customers from TalkTalk's servers.
- Sony Playstation - On June 1, 2011, "hacktivists" of the group LulzSec were accused of using SQL injection to steal coupons, download keys, and passwords that were stored in plaintext on Sony's website, accessing the personal information of a million users.