DEV Community

Sedat SALMAN for AWS Community Builders

Posted on

AWS Security Stories #04.4: OWASP - Injection

Injection attacks are a severe threat to web applications, as they allow attackers to inject malicious code into a system, granting them unauthorized access to sensitive data or the ability to perform malicious actions. The OWASP (Open Web Application Security Project) has identified several types of injection attacks, including:

SQL Injection: In this type of attack, the attacker is able to inject malicious SQL code into a web application, allowing them to gain access to sensitive data stored in a database. Example code:

SELECT * FROM users WHERE username = '$username' AND password = '$password'
Enter fullscreen mode Exit fullscreen mode

Command Injection: This type of attack occurs when an attacker is able to inject malicious commands into a web application, allowing them to execute arbitrary code on the server.
*Example code: *

system('ping ' . $user_input);
Enter fullscreen mode Exit fullscreen mode

OS Command Injection: Similar to command injection, but this type of attack allows an attacker to execute arbitrary commands on the operating system level.
*Example code: *

exec($user_input);
Enter fullscreen mode Exit fullscreen mode

XPath Injection: This type of attack targets XML databases, allowing an attacker to inject malicious XPath expressions into a web application, allowing them to gain access to sensitive data.
*Example code: *

$xml->xpath('//user[username/text()="' . $username . '" and password/text()="' . $password . '"]');
Enter fullscreen mode Exit fullscreen mode

LDAP Injection: This type of attack occurs when an attacker is able to inject malicious LDAP statements into a web application, allowing them to gain access to sensitive data stored in an LDAP directory.
*Example code: *

(&(objectCategory=Person)(objectClass=user)(cn=$username))
Enter fullscreen mode Exit fullscreen mode

ORM Injection: This type of attack occurs when an attacker is able to inject malicious code into an Object-Relational Mapping (ORM) framework, allowing them to gain access to sensitive data stored in a database.
Example code:

Person.where("name = '#{params[:name]}'").first
Enter fullscreen mode Exit fullscreen mode

NoSQL Injection: This type of attack occurs when an attacker is able to inject malicious code into a NoSQL database, allowing them to gain access to sensitive data stored in the database. Example code:

db.users.find({"username": {"$eq": user_input}})
Enter fullscreen mode Exit fullscreen mode

AWS provides several security features that can be used to protect against injection attacks, including:

AWS WAF: This service allows you to create security rules that can block common injection attack patterns.
Amazon Elasticsearch Service: This service allows you to create Elasticsearch domains that are automatically configured with security best practices, such as encryption at rest and in transit, to protect against injection attacks.
Amazon RDS: This service provides several security features that can help protect against injection attacks, including the ability to use parameterized queries and to create database security groups that control access to your RDS instances.

Examples of using these AWS security features to protect against injection attacks include:

AWS WAF (Web Application Firewall) is a service that allows you to create security rules to block common injection attack patterns. By using AWS WAF, you can create rules that match specific SQL keywords and operators in the request body and block requests that contain them. This can help prevent SQL injection attacks by blocking malicious SQL code before it reaches your web application.

To create a rule using AWS WAF to block SQL injection attacks, you can use the AWS Management Console or the AWS WAF API. Here are the steps to create a rule using the AWS Management Console:

  1. Log in to the AWS Management Console and navigate to the AWS WAF & Shield service.
  2. Select the Web ACLs option from the navigation menu.
  3. Click the Create web ACL button to create a new Web ACL.
  4. Give your Web ACL a name and select the resource that you want to associate it with (e.g. your Elastic Load Balancer or CloudFront distribution).
  5. Click the Create button to create your Web ACL.
  6. Click on the created Web ACL and navigate to the Rules tab.
  7. Click the Create Rule button to create a new rule.
  8. Give your rule a name and select SQL Injection as the predefined rule type.
  9. Click the Create button to create your rule.
  10. In the rules tab, select the created rule and click on the "Create rule group" button.
  11. Give a name to the rule group and select the created rule in it
  12. Now associate the rule group with the created Web ACL by clicking on the "Associate" button. Alternatively, you can use the AWS WAF API to create and manage rules using AWS CLI or SDKs. Here is an example of how to create a rule using the AWS CLI:
aws wafv2 create-rule --name "SQLInjectionRule" --scope REGIONAL --predicate { "dataId": "SQLInjection", "negated": false }
Enter fullscreen mode Exit fullscreen mode

This command creates a new rule named "SQLInjectionRule" that uses the predefined SQL injection rule type. The --scope option is used to specify that the rule is a regional rule.

Additionally, you can use Amazon Elasticsearch Service, which is a fully managed service that makes it easy to deploy, operate, and scale Elasticsearch clusters in the AWS Cloud. By using this service, you can encrypt data at rest and in transit, which makes it difficult for an attacker to read sensitive data even if they are able to inject malicious code into the system. Also, you can use Amazon RDS security groups to control access to your RDS instances and to only allow trusted IP addresses to connect to your RDS instances which can help to prevent injection attacks.

AWS provides several security features that can help protect your web application against injection attacks, but it's important to keep in mind that implementing these features alone does not guarantee complete protection. It's always recommended to follow best practices for web application security and to continuously monitor and test your application for vulnerabilities.

Top comments (0)