Argument Injection
Attack Pattern ID: 6 (Standard Attack Pattern Completeness: Complete)Typical Severity: HighStatus: Draft
+ Description

Summary

An attacker changes the behavior or state of a targeted application through injecting data or command syntax through the targets use of non-validated and non-filtered arguments of exposed services or methods.

Attack Execution Flow

Explore
  1. Discovery of potential injection vectors:

    Using an automated tool or manual discovery, the attacker identifies services or methods with arguments that could potentially be used as injection vectors (OS, API, SQL procedures, etc.).

    Attack Step Techniques

    IDAttack Step Technique DescriptionEnvironments
    1

    Manually cover the application and record the possible places where arguments could be passed into external systems.

    env-All
    2

    Use a spider, for web applications, to create a list of URLs and associated inputs.

    env-All

    Indicators

    IDtypeIndicator DescriptionEnvironments
    1Positive

    Arguments are used by the application in exposed services or methods

    env-All
    2Inconclusive

    No parameters appear to be used.

    env-All
    3Negative

    Application does not use any inputs.

    env-All

    Outcomes

    IDtypeOutcome Description
    1Success
    A list of parameters, arguments to modify is identified.
    2Success
    A list of URLs, with their corresponding parameters (POST, GET, COOKIE, etc.) is created by the attacker.

    Security Controls

    IDtypeSecurity Control Description
    1Detective
    Monitor velocity of page fetching in web logs. Humans who view a page and select a link from it will click far slower and far less regularly than tools. Tools make requests very quickly and the requests are typically spaced apart regularly (e.g. 0.8 seconds between them).
    2Detective
    Create links on some pages that are visually hidden from web browsers. Using IFRAMES, images, or other HTML techniques, the links can be hidden from web browsing humans, but visible to spiders and programs. A request for the page, then, becomes a good predictor of an automated tool probing the application.
    3Preventative
    Use CAPTCHA to prevent the use of the application by an automated tool.
    4Preventative
    Actively monitor the application and either deny or redirect requests from origins that appear to be automated.
Experiment
  1. 1. Attempt variations on argument content:

    Possibly using an automated tool, the attacker will perform injection variations of the arguments.

    Attack Step Techniques

    IDAttack Step Technique DescriptionEnvironments
    1

    Use a very large list of probe strings in order to detect if there is a positive result, and, what type of system has been targeted (if obscure).

    env-All
    2

    Use a proxy tool to record results, error messages and/or log if accessible.

    env-All

    Indicators

    IDtypeIndicator DescriptionEnvironments
    1Positive

    The application behaves like the injection has been a success.

    env-All
    2Inconclusive

    No result appears.

    env-All

    Outcomes

    IDtypeOutcome Description
    1Failure
    It is possible to monitor the application and to see that the argument has been validated.

    Security Controls

    IDtypeSecurity Control Description
    1Preventative
    Actively monitor malicious inputs.
    2Detective
    Monitor the services and/or methods uses of the arguments.
Exploit
  1. Abuse of the application:

    The attacker injects specific syntax into a particular argument in order to generate a specific malicious effect in the targeted application.

    Attack Step Techniques

    IDAttack Step Technique DescriptionEnvironments
    1

    Manually inject specific payload into targeted argument.

    env-All

    Outcomes

    IDtypeOutcome Description
    1Success
    The attacker observes desired effect.

    Security Controls

    IDtypeSecurity Control Description
    2Preventative
    Actively monitor malicious inputs.
    3Detective
    Monitor the services and/or methods uses of the arguments.
+ Attack Prerequisites

Target software fails to strip all user-supplied input of any content that could cause the shell to perform unexpected actions.

Software must allow for unvalidated or unfiltered input to be executed on operating system shell, and, optionally, the system configuration must allow for output to be sent back to client.

+ Typical Likelihood of Exploit

Likelihood: High

+ Methods of Attack
  • Injection
+ Examples-Instances

Description

A recent example instance of argument injection occurred against Java Web Start technology, which eases the client side deployment for Java programs. The JNLP files that are used to describe the properties for the program. The client side Java runtime used the arguments in the property setting to define execution parameters, but if the attacker appends commands to an otherwise legitimate property file, then these commands are sent to the client command shell.

Source http://www.securityfocus.com/archive/1/393696

+ Attacker Skills or Knowledge Required

Skill or Knowledge Level: Medium

The attacker has to identify injection vector, identify the operating system-specific commands, and optionally collect the output.

+ Resources Required

Ability to communicate synchronously or asynchronously with server. Optionally, ability to capture output directly through synchronous communication or other method such as FTP.

+ Solutions and Mitigations

Design: Do not program input values directly on command shell, instead treat user input as guilty until proven innocent. Build a function that takes user input and converts it to applications specific types and values, stripping or filtering out all unauthorized commands and characters in the process.

Design: Limit program privileges, so if metacharcters or other methods circumvent program input validation routines and shell access is attained then it is not running under a privileged account. chroot jails create a sandbox for the application to execute in, making it more difficult for an attacker to elevate privilege even in the case that a compromise has occurred.

Implementation: Implement an audit log that is written to a separate host, in the event of a compromise the audit log may be able to provide evidence and details of the compromise.

+ Attack Motivation-Consequences
  • Privilege Escalation
  • Data Modification
  • Information Leakage
+ Injection Vector

Malicious input delivered through standard input, the attacker inserts additional arguments on the application's standard interface

+ Payload

Varies with instantiation of attack pattern. Malicious payload either pass commands through valid paramters or supply metacharacters that cause unexpected termination that redirects to shell

+ Activation Zone

Client machine and client network (e..g Intranet)

+ Payload Activation Impact

Enables attacker to execute server side code with any commands that the program owner has privileges to, this is particularly problematic when the sprogram is run as a system or privileged account.

+ Related Weaknesses
CWE-IDWeakness NameWeakness Relationship Type
77Improper Sanitization of Special Elements used in a Command ('Command Injection')Targeted
146Improper Neutralization of Expression/Command DelimitersTargeted
184Incomplete BlacklistTargeted
78Improper Sanitization of Special Elements used in an OS Command ('OS Command Injection')Targeted
185Incorrect Regular ExpressionTargeted
713OWASP Top Ten 2007 Category A2 - Injection FlawsTargeted
697Insufficient ComparisonTargeted
+ Related Attack Patterns
NatureTypeIDNameDescriptionView(s) this relationship pertains toView\(s\)
ChildOfAttack PatternAttack Pattern137Parameter Injection 
Mechanism of Attack (primary)1000
ParentOfAttack PatternAttack Pattern15Command Delimiters 
Mechanism of Attack1000
+ Related Guidelines
  • Never Use Input as Part of a Directive to any Internal Component

+ Purposes
  • Penetration
+ CIA Impact
Confidentiality Impact: LowIntegrity Impact: HighAvailability Impact: Low
+ Technical Context
Architectural Paradigms
All
Frameworks
All
Platforms
All
Languages
All
+ References
G. Hoglund and G. McGraw. "Exploiting Software: How to Break Code". Addison-Wesley. February 2004.
+ Content History
Submissions
SubmitterOrganizationDate
G. Hoglund and G. McGraw. Exploiting Software: How to Break Code. Addison-Wesley, February 2004.Cigital, Inc2007-01-01
Modifications
ModifierOrganizationDateComments
Gunnar PetersonCigital, Inc2007-02-28Fleshed out content to CAPEC schema from the original descriptions in "Exploiting Software"
Sean BarnumCigital, Inc2007-03-09Review and revise
Richard StruseVOXEM, Inc2007-03-26Review and feedback leading to changes in Attack Prerequisites and Related Guidelines
Sean BarnumCigital, Inc2007-04-13Modified pattern content according to review and feedback
Romain GaucherCigital, Inc2009-02-10Created draft content for detailed description
Sean BarnumCigital Federal, Inc2009-04-13Reviewed and revised content for detailed description