IV. Hardening Steps to Mitigate Code Injection
1. Input Validation and Sanitisation
Injection attacks are performed by including special characters in the parameters sent from the client to the server. The most effective mitigation mechanism is to assume all user inputs are potentially malicious and perform data validation and sanitisation for all user-submitted input content before sending the queries to the server for execution. Here are some common good practices:
- Identify allowable characters and white-list only valid characters;
- Allow well-defined set of safe values via regular expression (e.g. [A-Z a-z 0-9]); and
- Limit the length of each entry
- Analyze the user-supplied data looking for certain known patterns attacks, aided by different programming techniques, like regular expressions and MySQL's mysql_real_escape_string() function; and
- Modify the received user input to adapt it into a harmless one which would reduce the false positive cases
Although validation may take place on the client side, hackers can modify or get around this, so it is essential that you also validate all data on the server side as well.
2. Appropriate / Least User Privileges
Web applications should never connect to your database using an account with admin-level privileges (e.g. "root" account). All application processes should be executed with the minimal privileges required. In addition, processes must release privileges as soon as they no longer require them. Best practice is to create an isolated account specifically for each application and deny access to all objects that are unnecessary to be used by the applications.
3. Error Messages Handling
Hackers can learn a great deal about the system architecture from error messages, detailed error information can be used to refine the original attack and increase the chances of success for hacking. Therefore, it should ensure that they display as little information as possible. Besides, it is better to use the generic error messages on the local machine while ensuring that an external hacker gets nothing more than the fact that his/her actions resulted in an unhandled error.
Escaping is a technique used to ensure that characters are treated as data, not as characters that are relevant to the interpreter's parser. It is the primary means to make sure that untrusted data cannot be used to convey an injection attack.
For dynamically-generated query strings or commands, it should properly quote arguments and escape any special characters within those arguments. The most conservative approach is to escape or filter all characters that do not pass an extremely strict white-list (such as everything that is not alphanumeric or white space).
5. Source Code Review / Scanning
To guard against the injection flaws, code writers should refer to their internal coding guideline or OWASP injection prevention cheat sheet during the development phase. In addition, code writers or reviewers can utilise source code scanning tools to review and look for injection flaws and then fix the vulnerabilities. Some useful scanning tools can be in marketplace included: UrlScan, WebInspect, Scrawlr, W3AF, LDAP Injector and JBroFuzz.
6. Web Application Firewall ("WAF")
A Web Application Firewall ("WAF") is an intermediary device that sits between a web-client and a web server. The WAF analyzes OSI Layer-7 messages (i.e. application layer) for violations in the pre-configured security policy. WAF applies a set of rules to the communication within the HTTP/HTTPS/SOAP/XML-RPC/Web Service layers and help to filter out malicious data and requests. In general, these rules cover common attacks such as cross-site Scripting ("XSS"), SQL Injection or session hijacking. In addition, WAF is particularly useful when using third party developed web applications as the modification of the application source code is not required.
7. Environment Patching and Hardening
The risks associated with code injections are escalated when the databases or operating system tied to the Web applications under attack are weak due to poor patching and configuration. In addition, the system administrator should be responsible for hardening the underlying database and the operating system by disabling unnecessary services and functionality.