- We define Injection (INJ) as:
- Due to input with language-specific special elements, the software assembles
a command
string that is parsed into an invalid construct.
- In other words, the command string is interpreted to have unintended, queries, OS
commands, markups, scripts, etc.
- High (semantic).
- Fig. 1 depicts INJ causes, attributes and consequences.
Fig 1. Injection (INJ) Class - click on image for detailed view.
- The attributes of INJ are:
- Language – SQL, Bash, regex, XML/Xpath, PHP, CGI, etc.
- This indicates the language in which the command string is interpreted.
- Special Element – Query Elements, Header Separators, Scripting Elements, Format Parameters,
Path
Traversals, Wildcards, Metacharacters, etc.
- These could be assembled with other elements to form malicious structures such as
queries, scripts and commands. Query elements are strings delimiters
‘ or “ or
words such as and or or. Header separators are carriage return/line feed.
Scripting elements are < or > or &. Format parameters are
such as %c or %n. Path traversals elements are .. or \.
Metacharacters are back tick ( ` ) or $ or &.- Entry Point – Data Entry Field, Scripting Tag, Markup Tag, Function Call Parameter, Procedure
Call Argument, Program Argument, System Property, Cookie, etc.
- This indicates where the input came from.
- Invalid Construct – Database Query, OS Command, Regular Expression, Markup, Script, etc.
- This indicates what eventually is wrong.
- The graph of causes shows that there are two main causes for injection: input not
checked properly or input not sanitized properly.
- In the graph of consequences, Arbitrary Code Execution concerns any instructions to the computer –
compiled, interpreted by software, executed
directly by hardware or combination.
- Note that INJ can cause Information Change/Loss. For example, and attacker can inject a command
(Add Command) that overwrites a file.
- An example of Mask Legitimate Command is inserting
“--”, which would comment part of
that legitimate command. An example of Mask Legitimate Information is inserting
“or 1==1”, which would change a password to an expression that returns always
true.
- Injection sites are typically not primitive operations in most languages. Sites are
the library or utility functions that accept a command string for actions. In shell
commands, command substitution is invoked with paired back quotes
(`...`) or
$(...). Command substitution executes a subshell, which opens the possibility of the string
to be interpreted with all the richness of the command line interpreter.
- BF classes related to INJ are: ATN, <<content to be added>>.
- CWEs related to INJ are: CWE-59, CWE-74, CWE-75, CWE-77, CWE-78, CWE-79, CWE-80, CWE-85, CWE-87, CWE-88, CWE-89, CWE-90, CWE-91, CWE-93, CWE-94, CWE-99, CWE-113, CWE-116, CWE-172, CWE-243, CWE-564, CWE-611, CWE-619, CWE-643, CWE-652, CWE-943.
- The corresponding ST is the Injection Semantic Template.
- BF Descriptions of INJ Related CWEs are provided here.
- Application examples are provided here.
- [1]
Bojanova, I., Black, P. E., Yesha, Y., Wu, Y., The Bugs Framework (BF): A
Structured Approach to Express Bugs. 2016 IEEE International Conference on Software Quality,
Reliability, and Security
(QRS
2016), Vienna, Austria. August 1-3, 2016.