2 cissp ® Official Study Guide Eighth Edition

Download 19,3 Mb.

Pdf ko'rish

bet	342/881
Sana	08.04.2023
Hajmi	19,3 Mb.
	#925879

1 ... 338 339 340 341 342 343 344 345 ... 881

Bog'liq
(CISSP) Mike Chapple, James Michael Stewart, Darril Gibson - CISSP Official Study Guide-Sybex (2018)

injection attack
is any exploitation that allows an attacker to submit code to a target
system in order to modify its operations and/or poison and corrupt its data set. There are
a wide range of potential injection attacks. Typically, an injection attack is named after
the type of backend system it takes advantage of or the type of payload delivered (injected)
onto the target. Examples include Structured Query Language (SQL) injection, Lightweight
Directory Access Protocol (LDAP), XML injection, command injection, Hypertext Markup
Language (HTML) injection, code injection, and file injection. A few of these are presented
in more detail in this section.
SQL injection
attacks
are even riskier than XSS attacks (see the following section) from
an organization’s perspective because the targets of a SQL injection attack are organiza-
tional assets, whereas the targets of an XSS attack are customers or visitors to a website.
SQL injection attacks use unexpected input to alter or compromise a web application.
However, instead of using this input to attempt to fool a user, SQL injection attacks use it
to gain unauthorized access to an underlying database and related assets.
In the early days of the Web, all web pages were
static
, or unchanging. Webmasters cre-
ated web pages containing information and placed them on a web server, where users could
retrieve them using their web browsers. The web quickly outgrew this model because users
wanted the ability to access customized information based on their individual needs. For
example, visitors to a bank website aren’t interested only in static pages containing informa-
tion about the bank’s locations, hours, and services. They also want to retrieve
dynamic
con-
tent containing information about their personal accounts. Obviously, the webmaster can’t
possibly create pages on the web server for each individual user with that user’s personal
account information. At a large bank, that would require maintaining millions of pages with
up-to-the-minute information. That’s where dynamic web applications come into play.
Web applications take advantage of a database to create content on demand when the
user makes a request. In the banking example, the user logs in to the web application,
providing an account number and password. The web application then retrieves current
account information from the bank’s database and uses it to instantly create a web page

362
Chapter 9
■
Security Vulnerabilities, Threats, and Countermeasures
containing the user’s current account information. If that user returns an hour later, the
web server repeats the process, obtaining updated account information from the database.
What does this mean to you as a security professional? Web applications add complexity
to the traditional security model. The web server, as a publicly accessible server, belongs in
a separate network zone from other servers, commonly referred to as a
demilitarized zone
(DMZ)
. The database server, on the other hand, isn’t meant for public access, so it belongs
on the internal network or at least a secured subnet separated from the DMZ. The web
application needs access to the database, so the firewall administrator must create a rule
allowing access from the web server to the database server. This rule creates a potential
path for internet users to gain access to the database server.
If the web application functions properly, it allows only authorized requests to the data-
base. However, if there is a flaw in the web application, it may let individuals tamper with
the database in an unexpected and unauthorized fashion through the use of
SQL injection
attacks
. These attacks allow a malicious individual to perform SQL transactions directly
against the underlying database. SQL injection attacks might enable an attacker to bypass
authentication, reveal confidential data from database tables, change existing data, add new
records into the database, destroy entire tables or databases, and even gain command line–
like access through certain database capabilities (such as command shell stored procedures).
You can use two techniques to protect your web applications against SQL injection attacks.

Download 19,3 Mb.

Do'stlaringiz bilan baham:

1 ... 338 339 340 341 342 343 344 345 ... 881