Skip to content
Permalink
Branch: master
Find file Copy path
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
221 lines (174 sloc) 6.51 KB

Injection Fundamentals: What Is Injection?

Help Me/Important StS Links

Table Of Contents

Intro

  • OWASP Top 10 2017
    • Top 10 security threats to web applications
      • Injection is #1 risk
  • Who is this course for?
    • Developers who have novice injection/security knowledge
  • Prerequisites: None
  • At the end of this episode, you'll be able to
    1. Understand what injection is
    2. Understand how execution contexts are linked to injection risks
    3. Evaluate code to decipher all execution contexts
    4. Inject a live node.js server within a safe containerized environment
      • Offense is the best defense!
  • Ready? Come join me in the next lecture!

What Is Injection?

  • Webhook functionality within node application

    • Leveraging GET for simplicity

      var userDefinedUrl = 'example.com/route';
      // Allow shell access
      var exec = require('child_process').exec;
      var curl = exec('curl ' + userDefinedUrl);
      curl.stdout.on('data', function(data) {
        // Mock response
        console.log(data);
      });
  • Injection is introducing data with malicious intent

    • This data could include unexpected commands that the program executes
  • What malicious data could be injected into userDefinedUrl?

Inject The Shell Context (Assignment)

// Assignment: Kill the node process by entering data into `userDefinedUrl`
// Assume that the commands are being executed within a bash shell
var userDefinedUrl = 'example.com/route';
// Allow shell access
var exec = require('child_process').exec;
var curl = exec('curl ' + userDefinedUrl);
curl.stdout.on('data', function(data) {
  // Mock response
  console.log(data);
});
// Run: "EX_NUM=1 docker-compose up"
// File: "ep9-injection-fundamentals-part-1/src/1/app.js"
// Env Setup/Error Reporting: https://sts.tools/readme
// Questions: https://sts.tools/injection-question
  • Hint:
    1. Think about the execution context that we're focusing on (i.e., linux shell) and what delimits shell commands
    2. pkill

Inject The Shell Context (Answer)

// Make a PR and contribute your answers here!
// var userDefinedUrl = "example.com/route; pkill node";

var userDefinedUrl = 'example.com/route';
// Allow shell access
var exec = require('child_process').exec;
var curl = exec('curl ' + userDefinedUrl);
curl.stdout.on('data', function(data) {
  // Mock response
  console.log(data);
});
// Run: "EX_NUM=2 docker-compose up"
// File: "ep9-injection-fundamentals-part-1/src/2/app.js"
// Env Setup/Error Reporting: https://sts.tools/readme
// Questions: https://sts.tools/injection-question

Inject The Shell Context (Takeaways)

var userDefinedUrl = 'example.com/route; pkill node';
var curl = exec('curl ' + userDefinedUrl);
  • Input is fed into an execution context (e.g., /bin/sh) which has a unique syntax (e.g., ;)

    • If delimiters are allowed, injection can be very easy
  • If the input has come from an outside entity, don't trust it

    • Ex: User supplied data that's coming from a database
  • What other ways can the shell context be exploited?

    var userDefinedUrl = "example.com/route; echo $ENV_SECRET";

Syntactic Injection

var userDefinedUrl = 'example.com/route; pkill node';
var curl = exec('curl ' + userDefinedUrl);
  • Syntactic Injection
    • Exploiting the syntax of a given execution context

Evaluating Execution Contexts

var userDefinedUrl = 'example.com/route; pkill node';
var curl = exec('curl ' + userDefinedUrl);
  • var curl = exec("curl " + userDefinedUrl);
    • What execution contexts are being leveraged?
      1. shell
      2. curl
      3. javascript
        1. Always true

Next Steps

  • Additional assignment: Look for file manipulation within a codebase and identify potential injection issues
    • Sometimes file manipulations occur within a shell context
  • Review video notes for links to
    • Other/future episodes
    • Additional resources
      • Specific to other languages
      • Ability to explore more in-depth
  • Future episodes will cover additional execution contexts
  • Thanks! :D

Error Log

  • None so far :)

Additional Resources

  • Please submit a PR with any additional resources.

General

Java

Javascript

Ruby

PHP

Python

Knowledge Dependency Tree

  • None. This is the first episode
You can’t perform that action at this time.