Catch Me If You Can: Detection of Injection Exploitation by Validating Query and Function Integrity
by Abhishek Singh and Ramesh Mani
Injection flaws remain one of the critical risks as per the OWASP top 10 web application security risks [2]. Injection flaws include SQL, NoSQL, OS, and LDAP injection techniques. Threat actor groups such as Axiom, Night Dragon[3] have been observed using SQL injection to gain access to systems. In the infamous Bulgaria tax agency breach on July 17, 2019, according to various sources[1], the vulnerability resulting in leakage of tax data of millions of Bulgarian citizens was a SQL Injection vulnerability. Similarly, a critical SQL injection vulnerability was reported in the enterprise, accounting, financial, payroll database of Starbucks on August 5th, 2019. On September 11, 2019, the Sequelize ORM [7] npm library was found vulnerable to SQL Injection Exploits. Injection flaws have ruled as the critical web application vulnerability for a decade.
The research community has extensively discussed exploitation details for SQL injection, NoSQL, OS command and LDAP injection exploits. In our upcoming presentation at Virus Bulletin 2019, we dive into the technical details of novel detection algorithms to detect SQL, NoSQL, LDAP, and OS command injection exploits.
Our algorithms to detect SQL injection, NoSQL, OS command and LDAP injection exploitation leverage code flow analysis. Injection attacks such as SQL, NoSQL, OS command and LDAP injection exploits add additional code at runtime, which leads to a change in the legitimate code of the application. The algorithm makes use of the abstract syntax tree (AST), program dependency graph (PDG) and the SQL parse tree to compute the changes in the original code due to the injection-based exploits. In our presentation, we will take an example of SQL, NoSQL, OS command and LDAP injection exploits and show the changes in the AST, PDG, and SQL parse tree due to the exploits. These changes in code due to the exploits are the fundamental principle of the detection algorithms used to detect SQL, NoSQL, OS command and LDAP injection which will be discussed in the subsequent part of the presentation.
The algorithm to detect injection-based exploitation by instrumenting the application has the following inherent advantages:
- The algorithm identifies the injection vulnerability in the code during the invocation of the program execution functions, SQL, NoSQL query execution functions. With each detected exploitation attempt, the vulnerable code path also gets detected. This automatic identification of the vulnerable part of the code will aid to patch the code preventing further exploitation.
- The algorithm only leverages binary instrumentation of the application to detect injection-based exploitation. Hence the detection is independent of the deployment of an application and the manner it accepts external inputs. The application can be deployed as a backend microservices and can accept batched requests which get broken down by the middle layer and served to the rear end microservices. In this scenario, the algorithm will raise an alert for injection-based attacks.
- Traditionally WAF has been used to detect web application exploits. Detections of exploits over the HTTP traffic are prone to evasion[17][18]. The query, function, and parameter’s integrity algorithm detects exploitation during the execution of the query, program execution functions; it is immune to the evasions applicable to the network packet processing layer.
- The algorithm raises an alert during the actual exploitation. It is independent of the type of the application and the operating system on which the application is executing. Hence the algorithm is capable of detecting both known and zero-day vulnerabilities in the application.
The below table compares the detection of an Injection vulnerability in a web application by Query, Function and Parameter integrity algorithm with other technologies.
| Web Application Firewall | Source Code Auditing | Query, Function and Parameter Integrity Algorithm | |
|---|---|---|---|
| Immune to Network Evasion Techniques | No [4][5] | Yes | Yes |
| Actionable Alerts | No (Every alert does not mean code is vulnerable) | Yes | Yes (Every alert means code is vulnerable) |
| Detection does not require computation of input to the application. | Yes | No | Yes |
| Detection is independent of deployment | No | Yes | Yes |
| Identifies Vulnerable Code Path | No | Yes | Yes |
We invite you to view our presentation at Virus Bulletin 2019.
| Web Application FireWall | Source Code Auditing | Query, Function and Parameter Integrity Algorithm | |
| Immune to Network Evasion Techniques | No[4][5] | Yes | Yes |
| Actionable Alerts | No (Every alert does not mean code is vulnerable) | Yes | Yes (Every alert means code is vulnerable |
| Detection does not require computation of input to the application. | Yes | No | Yes |
| Detection is independent of deployment | No | Yes | Yes |
| Identifies Vulnerable Code Path | No | Yes | Yes |
References
[1] SQL Injection Compromises the Entire Country,
[2] Exploit Public-Facing https://attack.mitre.org/techniques/T1190/
[3]OWASP TOP 10, https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf
[4] Evasions in Intrusion Prevention / Detection Systems, https://www.virusbulletin.com/virusbulletin/2010/04/evasions-intrusion-prevention-detection-systems
[5]XXE that can Bypass WAF Protection,
[6] SQL Injection Extracts Starbucks Enterprise Accounting, Financial, Payroll Database, https://hackerone.com/reports/531051
[7] Sequelize ORM npm library found vulnerable to SQL Injection Attacks. https://snyk.io/blog/sequelize-orm-npm-library-found-vulnerable-to-sql-injection-attacks/