Tales From the Road: The Best Defense Against Injection Attacks is to Protect Your Legacy App

How DirectDefense accessed sensitive financial and personal data through injection vulnerabilities

The best defense against injection attacks is to secure legacy applications by leveraging an app security assessment.

Got a legacy app? Then listen up: Legacy applications can be particularly susceptible to injection attacks and organizations should take immediate action to remediate this vulnerability before sensitive financial and personal data walk out the back door.

Keep reading to learn how to defend your legacy app against three injection attacks (including 3 things you can do right now to secure your apps).

How Secure Are Your Legacy Applications?

There’s only one way to find out! DirectDefense recently conducted an application security assessment for an education organization that provides its members and employees with a handful of apps to manage their memberships and accounts.

Account information includes everything from basic personal information to financial and banking information.

To identify weak spots, we conducted a time-boxed web application assessment of the external environment to identify vulnerabilities within the applications that would allow malicious actors to access the account information of app users.

Spoiler alert: We uncovered a significant potential for an attack on the underlying database. Yes, that would be all confidential and personal member data…

Injection Protection: Identifying Injection Vulnerabilities

We identified a trifecta of injection vulnerabilities:

  • SQL Injection: Occurs when unsafe input is processed as part of an SQL query.
  • Command Injection: Occurs when user-supplied data is able to execute commands on the underlying system.
  • Expression Language Injection: Occurs when user input is insecurely parsed by an expression language interpreter.

SQL Injection Attack

We identified numerous instances of SQL injection. When executing the SQL injection attack, our consultant observed that the database was parsing data insecurely, allowing us to gain almost full access to the database.

In a real-life scenario, an attacker could craft specific inputs that would allow them to break out of the data context in which their input appears and interfere with the structure of the surrounding query.

What could happen?

Confidential data, usernames, and passwords stored on internal database systems could be compromised, and malicious actors could even gain access to back-end database systems not available from the internet.

Defend against it!

Review all application modules that interact directly with the back-end database and implement these controls:

  • Parameterize all queries or stored procedures
  • Implement input filtering and sanitization on externally-supplied parameters
  • Implement hardened configurations on the back-end database server supporting the application

Command Injection Attack

Command injection attacks occur when user input is parsed by the underlying operating system, allowing for the execution of various commands. Command injection attacks are generally executed with the same privileges as the application and therefore can perform any system functionality available to the application.

What could happen?

This vulnerability is significant – someone with malicious intent could perform a number of actions from exfiltrating sensitive data to completely compromising the server. In such a case, this attack can be used against an externally facing asset to then gain access to internal infrastructure (assuming the target has access to the internal network).

Defend against it!

Never incorporate user input into the commands directly. Instead, map user input into a fixed set of values determined by and stored on the server side. When user input can be mapped to one of those commands, execute the system command with the fixed server-side value.

Expression Language Injection Attack

Expression language injection occurs when a malicious payload is passed to an expression language interpreter, which processes the payload and executes the code.

What could happen?

In a real-life scenario, an attacker could access sensitive data or achieve escalated privileges through changes in the session scope. In some cases, they could perform remote code execution on the server, depending on what Java classes are exposed to the interpreter.

Defend against it!

If possible, avoid incorporating user-controlled data in dynamically evaluated code. This may require altering the functionality surrounding the vulnerable endpoints. Otherwise, utilize robust input validation to ensure that there are no malicious payloads in the value. If possible, utilize whitelisting if there are only a few potential values that should be permitted for the parameters. Alternatively, regular expressions can be used to confirm that only alphanumeric characters are entered into the parameters. Specifically, avoid accepting special characters such as $, %, #, {, and } within the vulnerable parameters.

The Best Defense Against Injection Attacks: Top 3 Protection Tactics

Our consultant’s ability to compromise the database using injection attacks demonstrates the inherent risks of maintaining a legacy system. Applications are workhorses, doing everything from storing payment information to managing long-term memberships and automating specific activities.

When users are trusting an application to house their personal information and handle their payments, it’s critical to ensure the security of those applications.

Don’t make it easy for a bad actor to compromise your applications. Here are 3 things you can do today to prevent an injection attack and protect your user’s sensitive information:

  • Review all SQL queries used by your application and ensure that they are properly parameterized.
  • Do not allow user input in any system commands.
  • Avoid including user input in dynamically evaluated code.

We’re Here to Help!

Protect your organization and the clients, employees, or customers who use your web applications. The best approach to application security is to understand where your external access weaknesses lie.

Schedule your web application security testing and find out! Contact us today.


2023 Security Operations Threat Report