Scribd
Upload
87 views

Injection and Broken Access Control

Injection attacks involve providing unreliable input to a program that allows an attacker to alter how the program runs. SQL injection, discovered in 1998, allows reading and modifying database data. Other common injection attacks include cross-site scripting, OS command injection, and code injection. Broken access control means the access control mechanism is not working properly and users have access beyond their permissions. Examples include the Snapchat attack in 2014 and South Carolina Department of Revenue breach in 2012. Consistent access control testing and default deny policies can help mitigate these risks.

Uploaded by

Siyabonga
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
87 views

Injection and Broken Access Control

Injection attacks involve providing unreliable input to a program that allows an attacker to alter how the program runs. SQL injection, discovered in 1998, allows reading and modifying database data. Other common injection attacks include cross-site scripting, OS command injection, and code injection. Broken access control means the access control mechanism is not working properly and users have access beyond their permissions. Examples include the Snapchat attack in 2014 and South Carolina Department of Revenue breach in 2012. Consistent access control testing and default deny policies can help mitigate these risks.

Uploaded by

Siyabonga
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 4

Injection

Introduction
Injection attack refer to a broad class of attack vectors. An injection attack involves providing
unreliable input to a program as part of a command or query, an interpreter processes this
input, this in turn alters how that program runs.

Date of discovery
SQL injection is one of the oldest types of injection. Jeff Forristal, a hacker and researcher in
the field of cybersecurity, first documented the SQL injection exploit in 1998

Common attack vectors:


1. SQL injection (SQLi)- injects SQL commands with the ability to read and modify
database data. This attack can be used to write arbitrary files to the server and even
run OS commands, which could compromise the entire system.
2. Cross-site Scripting (XSS)- executes arbitrary JavaScript within the victim's browser
after being injected into a legitimate website or web application .
3. OS Command injection-injects commands from the operating system while logged in as the
web application's user. This attack can use privilege escalation flaws to compromise the
entire system in more advanced variants.
4. Code injection-Injects application code that enables the user running the web application to
execute operating system commands. If necessary, advanced attacks can use privilege
escalation vulnerabilities to gain even higher privileges, potentially compromising the entire
system.

Commonly applied fixes/ mitigation measures


1. Validate User Input
2. Apply Restrictions
3. Avoid Shared Database
4. Input Filtering
5. Mitigating Inadequate data
6. Avoid Error Messages
7. Use variable Binding
8. Minimize Application Privileges
9. Limited Access Account
10. Penetrating Testing

Real world examples of successful attacks:


GhostShell attack, (October 2012)—hackers from APT group Team Ghost Shell targeted 53
universities using SQL injection, stole and published 36,000 personal records belonging to
students, faculty, and staff
Turkish government, (April 2014)— RedHack collective, a different APT group, used SQL
injection to get into the Turkish government website and get rid of debt to government
agencies.
7-Eleven breach, (October 2007) — Several businesses, most notably the 7-Eleven retail
chain, were breached by an attacker group using SQL injection to steal 130 million credit
card numbers.
HBGary breach, (February 2011) — The IT security company's website was taken down using
SQL Injection by Anonymous-affiliated hackers. The attack was in response to the CEO of
HBGary revealing that he had the names of members of the Anonymous organization.

Broken Access Control


Introduction
Access control is simply putting rules in place that allow users to clearly define what they are
allowed to access. Broken access control means that the access control mechanism is not
working, and users have access to other accounts, data, information and access rights.

Date of discovery
The broken access control first appeared on the OWASP top 10 2017 list in position 5, it is a
result of merging A4-Insecure Direct Object References and A7-Missing Function Level
Access from OWASP top 10 2013 list.

Common attack vectors:


1. Vertical privilege escalation- the process of granting a user, application, or other
asset more privileges or privileged access than they already possess is referred to as
a privilege elevation attack. This requires upgrading from a lower level of privileged
access to a higher level. The attacker may need to take a few intermediate steps to
achieve vertical privilege escalation (such as launching a buffer overflow attack, for
example).to get around or override privilege controls, take advantage of
vulnerabilities in software, firmware, or the kernel, or get privileged credentials for
other applications or the operating system as a whole. According to the Microsoft
Vulnerabilities Report 2021, elevation of privilege vulnerabilities accounted for 44%
of all Microsoft vulnerabilities in 2020.
2. Horizontal privilege escalation- involves gaining access to the same privileges as a
human or machine account's rights. The term "account takeover" is used to describe
this action. This typically involves standard user accounts, which may not be
adequately protected. An attacker increases their scope of access with comparable
privileges for each new horizontal account that is compromised.
3. Context-dependent privilege escalation- In order to transform horizontal privilege
escalation attacks into vertical privilege escalation, attackers frequently compromise
privileged users. Breaking horizontal controls, for instance, could be used by hackers
to get the login information of another user. After that, the attackers have access to
administrative accounts, which grants them the authority to vertically escalate
privileges.
Commonly applied fixes/ mitigation measures
1. Consistent Examination and Testing Access Control
2. Default Access Deny
3. Limiting the use of Cross-origin Resource Sharing (CORS)
4. Enable access control based on roles
5. Enable access control based on permissions
6. Enable Mandatory access control

Real world examples of successful attacks:


Snapchat, (January 2014)- Gibson Security disclosed flaws in the Snapchat service, but the
company dismissed them as merely theoretical. Brute force enumeration had revealed 4.6
million phone numbers and usernames a week later. Snapchat's claim that the attack was
hypothetical and that they had not taken any action appears to have influenced the attack,
at least in part. Phone numbers and user information that could be useful for various
purposes were leaked as a result.
A significant data breach affected the South Carolina Department of Revenue in 2012.
Numerous taxpayer data, including 3.6 million social security numbers, were stolen. It
appears that a straightforward spear phishing attack enabled the breach. The government
system was theoretically safe from unauthorised users, but only until the attackers were
able to break user authentication or get around it. After that, there was insufficient internal
access control to stop the "authenticated" attackers from gaining access to the sensitive IRS
data and stealing it.

References
1. Injection Attack vectors
What Are Injection Attacks? - DZone Security
2. Injection Date
What is SQL injection - Examples & prevention | Malwarebytes
3. GhostShell attack
GhostShell university hack: By the numbers | ZDNET.
4. Turkish government
Hackers RedHack Leak Details of Hundreds of Turkish Government Officials
(ibtimes.co.uk)
5. 7-Eleven breach
7-Eleven statement regarding 2007 credit card fraud (databreaches.net)
6. HBGary breach
HBGary breach revelations and repercussions - Help Net Security
SQL Injection Attack: Real Life Attacks and Code Examples (brightsec.com)
7. Broken Access Control date
OWASP 2017 top 10 vs. 2013 top 10 | Infosec Resources (infosecinstitute.com)
8. Broken Access Control Attack vectors
OWASP Broken Access Control Attack And Its Prevention (crashtest-security.com)
9. Broken Access Control common fixes
How to Prevent Broken Access Control? - GeeksforGeeks
10. Snapchat attack
Real Life Examples of Web Vulnerabilities (OWASP Top 10) (horangi.com)

You might also like