Anatomy of code injection

We recently heard in the media about security incidents including data leakage, server infection, and stolen user accounts conducted by malicious parties. In this and future posts I will try to give real life examples of such threats and the way they can be prevented. While analyzing Application Security Manager (ASM) logs I come across this suspicions request:

Looking carefully into this request we can see that the parameter named “author_name” is used to inject something that looks like PHP code. Actually, this seems more like an injection of PHP code in a web application that uses Bulletin Board Code (BBCode).

Another interesting thing with this request is that we can see that the attacker tried to evade security detection by using the “base64_decode()“ PHP function, scrambling the payload of the injected code.

When taking the base64 encoded payload and decoding it, we can see the injected code:

If an attacker successfully injects this code to the web application, the attacker is given control over the web server by exposing the backdoor that allows unauthorized remote control over the web server.

The best way to detect and block such attacks is by combining two known web application firewall methods:

· Signature based – detection of suspicious patterns (such as base64_decode), and block requests that contains this payload.

· Policy anomaly – detection of a change in the way the application is being used. For example, pre-define a set of attributes for the parameter “author_name”, such as a length or allowed meta characters, and if suspicious requests deviates from the pre-defined value then block the request.

And here is how the detection of an injection attempt looks in the ASM log:

Published Jun 30, 2011
Version 1.0

Was this article helpful?

No CommentsBe the first to comment