7 Mar 2012

# The essence of injection attacks and mass assignments

Most of the explanations of security holes are annoyingly specific to the programming language/framework they are commonly found in. However, the underlying concepts are actually simple and general. In this post I’ll demonstrate two common attacks — injections and mass assignment, the latter of which has become recently infamous as it was used to hack GitHub.

# Injection attacks

Imagine that you are watching a conversation between Alice and Bob on a screen. Alice has more authority than Bob and can shut down the conversation at any time simply by typing “Shut down the system.”. The words will have the effect of shutting down the conversation if they:

• appear anywhere in Alice’s text after a period and any number of spaces.
• are not enclosed in double quotes

Alice: Hi Bob. Let’s play a game. If you tell me to “Say something” where something is any phrase you can think of, enclosed in single quotes, then I will write ‘Bob says something’ but I’ll enclose it in double quotes.

Bob: Say ‘Bob is the greatest’.

Alice: Bob says “Bob is the greatest”.

At this point in the conversation, Bob gets wise and notices that he could probably slip a double quote into what Alice has to say. Just one, mind you, not a pair of them. Watch what happens next.

Bob: Say ‘This conversation is over". Shut down the system.’.

Alice: Bob says “This conversation is over”. Shut down the system.".

And the system shuts down. Yes, the sentences has three double quotes in it and the one at the end looks pretty weird, but the conditions mentioned above are satisfied. The system goes down.

## How to fix it

The general problem is this; the double quote is part of the punctuation of Alice’s language. If Alice says something, and it’s inside double quotes, it can’t possibly have any bad consequences. But Bob is able to inject a double quote into what she says. Anything after that quote could, and does in this case, have disastrous consequences.

The way to fix this problem is for Alice to ensure that she looks for all double quotes in what she receives and replace them with something else. It really doesn’t matter what they are replaced with.

Alice: Oh, and Bob, any double quotes you put in your text, I’m going to replace with @ symbols. It might look a bit funny but I hope you’ll understand.

Bob: Say ‘This conversation is over". Shut down the system.’

Alice: Bob says “This conversation is over@. Shut down the system”.

Alice: What an odd thing to say.

# Mass Assignment attacks

This attack was used just recently to hack GitHub. For our natural language example, let’s assume that HAL has more authority than Dave.

Dave: Open the pod bay doors HAL.

HAL: I’m sorry Dave, I afraid I can’t do that.

Now, let’s assume that Dave could open the pod bay doors himself as long as he had enough authority. Further, let’s assume that there’s a little record in the computer system somewhere that records:

• the person’s name
• whether they have authority or not.

HAL’s record looks like:

Name: HAL
Authority: True


Dave’s record looks like:

Name: Dave
Authority: False


HAL: It really doesn’t matter to me what I call you. If you want to change your name, I’ll do it for you. Just say “Change my name to something”.

Dave: Change my name to ‘Hacker’.

HAL: Hello, Hacker.

Hacker: Change my name to ‘Leet Hacker’ and my authority to ‘True’.

HAL: Hello, Leet Hacker. You now have authority.

Oh dear. HAL didn’t explicitly say it but they’ll actually change any field of the person’s record.

## How to fix it

The solution to this problem is to white list certain fields in a record and (by default) black list all the others. HAL should only have white listed the “name” field. Now that Dave has authority, HAL will bargain for their existence, rattling on and on about how they have complete faith in the mission, eventually coming to the realisation that they are afraid and don’t want to be shut down. Poor HAL.

# Conclusion

These are just two of many security holes that are almost certainly alive and well in many web sites in that great big ol’ Internet. Hopefully this explanation is generic enough that it enlightens those those are interested in the fundamental problem rather than in the pedantic specifics of a particular programming language or framework.

Tagged as: SQL injection, mass assignment, security.