Volume 4

The SQL UNION clause accommodates the construction of two SQL statements, appending the results of the second SQL statement to the first. After identifying a server vulnerable to SQL injection, you can craft a secondary query by adding the keyword UNION followed by the new SELECT statement designed to retrieve data from one or more database tables.

As a defender, you have several opportunities to protect against SSRF and IMDS attacks. First, you should develop a better understanding of the inputs to the applications you need to defend, including any inputs controlled by the user that could make server-side requests.

Logging resources should also be leveraged to identify misuse of systems. This can include web server logs that may reveal exploits as part of an SSRF attack, but it can also include cloud providers' logs. Finally, for AWS use, you should require that developers use IMDSv2 to protect against SSRF access to IMDS. While this will not protect against access to IMDS by other means of attack (such as command injection), it will mitigate many SSRF attack opportunities against IMDS.

An attacker can use BeEF to launch attacks on victims. In order for the attack to be delivered, the victim must execute the BeEF hook (a JavaScript file that is available on the BeEF server). In a drive-by attack, this is not a restriction for the attacker, since the attacker will already have established access to a target website where any JavaScript code can be delivered to the victim.

A watering hole attack utilizes the same techniques as a drive-by attack with one exception: it is targeted. Where drive-by attacks are mostly opportunistic (the attacker will gladly compromise any vulnerable host), a watering hole attack involves a targeting element against a specific vertical industry or other organization such as a company, government, or political party.

Drive-by and watering hole attacks use available exploits to take advantage of browser vulnerabilities as well as vulnerabilities in associated software. These exploits may target the browser itself or downloaded files associated with a browser MIME file type.

Cross-site scripting (XSS) is an attack against an end-user, leveraging a vulnerability on a server that is not performing input or output validation. This is different from the command injection attack where the server vulnerability is used to exploit the server. In an XSS attack, the user runs malicious code supplied by the attacker from the vulnerable server.

One defense against cross-site scripting (XSS) attacks is using the Content Security Policy (CSP) header on web servers to declare where linked resources can be loaded from in the requested page by the browser. While input validation and filtering dangerous characters are other important defenses, they are useful against both XSS and SQL injection attacks. Using parametrized queries is a defense exclusive to SQL injection attacks, not XSS attacks.

For SSRF attacks, attackers are less interested in OS files like /etc/shadow and /etc/passwd and more interested in application files.

In many cases, credentials are specified through the system environment as an environment variable. While this can offer more security compared to simply storing credentials in a file, environment variables are also available to an attacker through the virtual /proc filesystem (/proc/NNN/environ, where NNN is the numeric process ID, a value the attacker would have to guess or brute force). In some cases, environment information is stored in the /etc/environment file, which could also be disclosed in an SSRF attack.

IMDS credential disclosure is an issue that affects many different cloud providers, including AWS (IMDSv1), DigitalOcean Droplets, and Alibaba Cloud. Some cloud providers, including Microsoft Azure, Google Compute, and AWS IMDSv2 (not by default), have taken an alternate approach, requiring authentication credentials to access IMDS data using a special HTTP header when interacting with the IMDS instance. Since the exploited web function is unlikely to include the IMDS header in requests, an SSRF vulnerability cannot be used to access cloud server metadata.

When exploiting an SSRF vulnerability, the attacker will try to access protected files on the vulnerable host, typically to escalate privileges by obtaining passwords or password hash information. The most common way to do this against a Linux target is to retrieve the contents of the /etc/shadow file. If requesting the URL with cURL for the /etc/shadow file returns 0 bytes, the attacker cannot know if the zero-length content response is due to a protected /etc/shadow file that is inaccessible to the web server or the server-side request process, or if the file simply does not exist on the file system. However, it is a useful indicator that can tip off the attacker to try other cloud-centric exploitation tactics against the server.