Injection vulnerabilities

Injection vulnerabilities - Injection vulnerabilities...

Info icon This preview shows pages 1–3. Sign up to view the full content.

View Full Document Right Arrow Icon
Injection vulnerabilities Injection vulnerabilities occur every time an application sends untrusted data to an interpreter. Injection flaws are very common and affect a wide range of solutions. The most popular injection vulnerabilities affect SQL, LDAP, XPath, XML parsers and program arguments. As explained in the OWASP “Top 10” guide, the injection flaws are quite easy to discover by analyzing the code, but frequently hard to find during testing sessions when systems are already deployed in production environments. The possible consequences of a cyber-attack that exploits an Injection flaw are data loss and consequent exposure of sensitive data, lack of accountability, or denial of access. An attacker could run an Injection attack to completely compromise the target system and gain control on it. The business impact of an Injection attack could be dramatic, especially when hacker compromise legacy systems and access internal data. SQL injection vulnerabilities are among most exploited flaws, despite the high level of awareness on the various techniques of hacking that exploit this category of bugs the impact of such attacks is very serious. A study released by the Ponemon Institute in October 2014 titled “ The SQL Injection Threat Study ” investigated on the reply of organizations to the SQL injection threat. The study revealed that despite about one-third believing that their organization has the necessary technology to detect and mitigate the cyber threat, the success rate of SQL injection attacks is too high. Injection vulnerabilities could affect various software and their impact depends on the level of diffusion of the vulnerable application. A classic example of the possible effect of the presence of injection flaws is the critical vulnerability dubbed Bash Bug affecting the Linux and UNIX command-line shell. The flaw, coded as CVE-2014-6271 , is remotely exploitable and affects Linux and Unix command-line shell potentially exposing to risk of cyber-attacks websites, servers, PCs, OS X Macs, various home routers , and many other devices. The vulnerability has existed for several decades and it is related to the way bash handles specially formatted environment variables, namely exported shell functions. To run an arbitrary code on affected systems it is necessary to assign a function to a variable, trailing code in the function definition will be executed. The critical Bash Bug vulnerability, also dubbed Shellshock, affects versions GNU Bash versions ranging from 1.14 through 4.3, a threat actor could exploit it to execute shell commands remotely on a targeted machine using specifically crafted variables.
Image of page 1

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full Document Right Arrow Icon
Such kind of vulnerabilities could have a dramatic effect on a large scale, let’s think for example to the dangers for the Internet-of-things devices like smart meters, routers, web cameras and any other device that runs software affected by this category of flaws.
Image of page 2
Image of page 3
This is the end of the preview. Sign up to access the rest of the document.

{[ snackBarMessage ]}

What students are saying

  • Left Quote Icon

    As a current student on this bumpy collegiate pathway, I stumbled upon Course Hero, where I can find study resources for nearly all my courses, get online help from tutors 24/7, and even share my old projects, papers, and lecture notes with other students.

    Student Picture

    Kiran Temple University Fox School of Business ‘17, Course Hero Intern

  • Left Quote Icon

    I cannot even describe how much Course Hero helped me this summer. It’s truly become something I can always rely on and help me. In the end, I was not only able to survive summer classes, but I was able to thrive thanks to Course Hero.

    Student Picture

    Dana University of Pennsylvania ‘17, Course Hero Intern

  • Left Quote Icon

    The ability to access any university’s resources through Course Hero proved invaluable in my case. I was behind on Tulane coursework and actually used UCLA’s materials to help me move forward and get everything together on time.

    Student Picture

    Jill Tulane University ‘16, Course Hero Intern