Injection (INJ) Class
Definition
We define Injection (INJ) as:
Due to input with language-specific special elements, the software assembles
a command
string that is parsed into an invalid construct.
In other words, the command string is interpreted to have unintended, queries, OS
commands, markups, scripts, etc.
Type
Taxonomy
Fig. 1 depicts INJ causes, attributes and consequences.
Fig 1.
Injection (INJ) Class
- click on image for detailed view.
Attributes
The attributes of INJ are:
Language – SQL, Bash, regex, XML/Xpath, PHP, CGI, etc.
This indicates the language in which the command string is interpreted.
Special Element – Query Elements, Header Separators, Scripting Elements, Format Parameters,
Path
Traversals, Wildcards, Metacharacters, etc.
These could be assembled with other elements to form malicious structures such as
queries, scripts and commands. Query elements are strings delimiters ‘
or “
or
words such as and
or or
. Header separators are carriage return/line feed.
Scripting elements are <
or >
or &
. Format parameters are
such as %c
or %n
. Path traversals elements are ..
or \
.
Metacharacters are back tick (`
) or $
or &
.
Entry Point – Data Entry Field, Scripting Tag, Markup Tag, Function Call Parameter, Procedure
Call Argument, Program Argument, System Property, Cookie, etc.
This indicates where the input came from.
Invalid Construct – Database Query, OS Command, Regular Expression, Markup, Script, etc.
This indicates what eventually is wrong.
Causes
The graph of causes shows that there are two main causes for injection: input not
checked properly or input not sanitized properly.
Consequences
In the graph of consequences, Arbitrary Code Execution concerns any instructions to the computer –
compiled, interpreted by software, executed
directly by hardware or combination.
Note that INJ can cause Information Change/Loss. For example, and attacker can inject a command
(Add Command) that overwrites a file.
An example of Mask Legitimate Command is inserting “--”
, which would comment part of
that legitimate command. An example of Mask Legitimate Information is inserting
“or 1==1”
, which would change a password
to an expression that returns always
true
.
Sites
Injection sites are typically not primitive operations in most languages. Sites are
the library or utility functions that accept a command string for actions. In shell
commands, command substitution is invoked with paired back quotes (`...`)
or
$(...)
. Command substitution executes a subshell, which opens the possibility of the string
to be interpreted with all the richness of the command line interpreter.
Related BF Classes
BF classes related to INJ are: ATN, <<content to be added>>.
Related CWEs, SFPs and ST
CWEs related to INJ are: CWE-59, CWE-74, CWE-75, CWE-77, CWE-78, CWE-79, CWE-80, CWE-85, CWE-87, CWE-88, CWE-89, CWE-90, CWE-91, CWE-93, CWE-94, CWE-99, CWE-113, CWE-116, CWE-172, CWE-243, CWE-564, CWE-611, CWE-619, CWE-643, CWE-652, CWE-943.
BF Descriptions of INJ Related CWEs are provided here.
Application
Application examples are provided here.
References
[1]
Bojanova, I., Black, P. E., Yesha, Y., Wu, Y., The Bugs Framework (BF): A
Structured Approach to Express Bugs. 2016 IEEE International Conference on Software Quality,
Reliability, and Security
(QRS
2016), Vienna, Austria. August 1-3, 2016.