Insertion attacks come in many forms, but all involve the introduction of unauthorized content or devices to an otherwise secured infrastructure. Three common insertion-based attacks include SQL injection, IDS insertion, and rogue device insertion. Knowing what should be on the network and dropping unexpected or improperly formatted data packets greatly diminishes these types of attacks.

SQL injection is an attack that inserts a hacker’s code into a script hosted on a website or through the querying of a database. SQL injection attacks can give the hacker access to the back-end database of a web application. The technique exploits a weakness in common web communications that treats certain characters differently because they are assigned a special meaning or purpose rather than just treated as text. These are called metacharacters and act as programming markup. If you don’t write a script defensively to block out or ignore metacharacters, then injection attacks can effectively rewrite the script based on content a hacker submits. The injected code can perform just about any possible command line task imaginable.

Cross-site scripting (XSS) is similar to SQL injection, but the results attack future visitors to a webpage rather than grant the hacker access to the back-end database. An XSS attack submits script code to a website. XSS can result in persistent malicious modification of web source files. This causes all future visitors to the site to receive compromised content.

XSS attacks can include emails to victims with falsified hyperlinks that point the script injection to a target site when the victim clicks on the email’s embedded links. Such an attack can grant the hacker access to the seemingly secured web transaction of the victim. This form of attack is non-persistent because it affects only those who click on the links in the malicious email.

IDS insertion is a form of attack that exploits the nature of a network-focused IDS; it collects and analyzes every packet to trick the IDS into thinking an attack took place when it really has not. The common purpose of IDS insertion attacks is to trick signature- or pattern-matching detection of malicious network events. By interspersing attack traffic with packets that the target host will reject but the IDS will view, the IDS fails to see the attack pattern, but the attack still takes place. For example, suppose an attack is composed of four packets—A, B, C, and D—and the IDS signature is a packet stream of ABCD. If the hacker transmits the attack as AXBCYD, where X and Y are invalid packets rejected by the target, then the IDS doesn’t recognize the pattern. After X and Y are discarded, the ABCD attack occurs against the target.

Rogue device insertion is a physical form of insertion attack where a hacker inserts an imposter device into an infrastructure. The most common example of this is the insertion of a rogue wireless access point (WAP) configured similarly to the real, authorized access point. Some users might be fooled into connecting to the rogue access point. This would constitute a man-in-the-middle attack where the hacker would intercept all transactions from the compromised system. A smartphone can mimic a WAP. Another type of insertion attack is the physical key logger discussed earlier.

Each insertion attack method requires that you create a unique defense. You can prevent SQL injection attacks by defensive programming and filtering input. XSS attacks are generally preventable if you use defensive coding techniques, metacharacter filtering, and input validation. For end users, defenses include cookie management and disabling scripting support in browsers and email clients. Squelch IDS insertion attacks by using modern IDS techniques such as anomaly, behavioral, and heuristic detection. You can derail a rogue device insertion through encrypted communications, preconfigured network access, prohibited wireless networking, user training, and regular site surveys.