Interpreted Language Injection
What is interpreted language injection?
Interpreted language injection is a technique by
which an attacker is able to modify the code executed by the web server as it
produces web pages. In doing so, the attacker may be able to modify the web
pages produced. More significantly, he may be able to exert influence over the
server and install malicious code, steal confidential information and more.
What makes a
site vulnerable to interpreted language injection?
An interesting feature of interpreted language injection vulnerabilities is that they
may occur more frequently in code written by the more proficient programmers.
The reason for this apparent paradox is that interpreted language injection is often made
possible by advanced constructs for dynamically generating code. Dynamically
generated code uses input as part of the code-generation process. When this
input is taken from information supplied by the user, the possibility for interpreted language
injection arises. Interpreted language injection includes PHP injection, Perl injection, ASP injection, etc.
Variable
variables and variable functions
Two instances of interpreted language injection are variable variables and variable
functions. If the attacker can influence a variable name he can potentially
modify the code to output the value of variables which were not meant to be
output, assign values to variables which should never have those values (e.g.
security-relevant variables), etc. Variable functions work similarly, in that
the name of the function called by the code is taken from a variable. If the attacker
can influence the name of a variable function he can potentially call any
function of his choosing. This could include functions which normally require
admin rights to execute.
Eval, etc.
Many interpreted languages provide an 'eval'
function which executes code passed to it as an argument. If the attacker can
affect this code he may be able to execute code of his choosing.
Dynamic
function declarations
A potent form of interpreted language injection is possible when dynamic function
declarations are used. If the dynamically generated function code makes use of
user input, the attacker may be able to insert (and cause to be executed) code
of his choosing.
Impact of the
attack
Attacker code executed during a interpreted language injection attack can potentially
exercise significant control over the website (by modifying its source code,
data, etc.) and the web server itself (by installing malicious software,
deleting existing files, etc.).
Preventing
the attack
As with other injection-style attacks one of the best preventative
measures is to validate all user-influenced data before using it in dynamic
code generation. This involves identifying precise ranges of values for which
it is known that the input will not lead to problems, and rejecting all other
data. Better still is to avoid using user input in dynamic code, if at all
possible.