If we go by the literal meaning of this i.e. injecting something.Now three questions
- What to inject?
- Where to inject?
- Why to inject.?
We will take these one by one
what to inject ?????
A SQL query, PHP command, chaging the arguments in the URL etc
Where to inject ?????
Wherever a user input is requested or a user can modify the input.
It can be a text box (username, password field, feedback fields etc) or a URL modification.We can always play around with the URL.
Why to inject?????
So that we can expoit.!
- HTML injection (GET and POST)
- PHP injection (GET)
- iFrame injection
- SQL injection
- LDAP injection
- XPATH injection
There are other types of injection attacks as well like OS command injection etc.I will be explaining the first two here and others in subsequent parts.
HTML injection (GET)
Explaining GET and POST on a high level – These are the ways by which the data is sent.
If the application uses GET – the user input can be seen in the URL itself and if it uses POST we will not be able to see it in the URL, Don’t dig deeper on this right now.
1)User has to enter firstname and lastname and when we hit Go we can see that displayed on screen.
2)Lets take a look at the URL – You can see the parameters entered by the users in the URL(GET)
3)Now i modify the URL – placing the HTMLtags in the user name and password
4)Here is the output for that.
5)Now lets do something else.. i try to create a list in the URL itself.
6)Once we hit go , we have the list displayed below along with firstname and lastname.
Now lets see POST
HTML injection (POST)
1)When we enter the firstname and lastname – the URL remains the same (all the sending activity is invisible in the URL)
2) Now , instead of changing the URL we place the HTML entities in the text fields itself.
3) URL remains same, since it is a POST
All this happens because the application is not checking the user input for what is valid and what is not. It is simply taking the input from the user, processes it and displays the output.
Now the fundamental difference is that now instead of injecting HTML queries we will be injecting PHP commands.
If you dont know PHP ; no worries, the below demo is easy to catch
1) As soon as we click the message we are expecting the message to be displayed on the screen.
2) Let’s click the message.
3) Now if we refer the URL we can see that the message string is present there.
Let’s fondle with it.
4) Changing the message string- test with a PHP command
Phpinfo() and hit enter.
We get something to grab our eye.
Lesson learned – DON’T TRUST USERS INPUT