Injection flaws remain one of the topmost risks as per the OWASP top 10 web application security risks. Injection flaws have ruled as the first web application vulnerability for a decade. Injection flaws include SQL, NoSQL, OS and LDAP injection techniques. Threat actor groups such as Axiom and Magic Hound have been observed using SQL injection to gain access to systems. The research community has extensively discussed exploitation details for SQL injection, NoSQL, OS command and LDAP injection exploits. In this presentation, we do not plan to spend time explaining once again what these exploits are. The talk and presentation will dive into the technical details of the novel detection algorithms to detect SQL, NoSQL, LDAP and OS command injection exploits.
Our algorithms to detect SQL injection, NoSQL, OS command and LDAP injection exploitation leverage code flow analysis. Injection attacks such as SQL, NoSQL, OS command and LDAP injection exploits add additional code, which leads to a change in the legitimate code of the application. The algorithm makes use of the abstract syntax tree (AST), program dependency graph (PDG) and the SQL parse tree to compute the changes in the original code due to the injection-based exploits. In our presentation, we will take an example of SQL, NoSQL, OS command and LDAP injection exploits and show the changes in the AST, PDG, and SQL parse tree due to the exploits. These changes in code are the fundamental principle of the detection algorithms used to detect SQL, NoSQL, OS command and LDAP injection which will be discussed in the subsequent part of the presentation.
The detection algorithm discussed in the presentation provides an inherent advantage. It not only detects the SQL, NoSQL, OS command and LDAP injection exploitation by a threat actor but also automatically identifies the vulnerable section of the application code. This automatic identification of the vulnerable part of the code will aid the application developers in patching the code, preventing further exploitation.