Reflection injections occur in a web application when it retrieves data from a user or a third-party service and fully or partially uses it to
inspect, load or invoke a component by name.
If an application uses a reflection method in a way that is vulnerable to injections, it is exposed to attacks that aim to achieve remote code
execution on the server’s website.
A user with malicious intent exploits this by carefully crafting a string involving symbols such as class methods, that will help them change the
initial reflection logic to an impactful malicious one.
After creating the malicious request and triggering it, the attacker can attack the servers affected by this vulnerability without relying on any
pre-requisites.
What is the potential impact?
If user-supplied values are used to choose which code is executed, an attacker may be able to supply carefully-chosen values that cause unexpected
code to run. The attacker can use this ability to run arbitrary code on the server.
Below are some real-world scenarios that illustrate some impacts of an attacker exploiting the vulnerability.
Application-specific attacks
In this scenario, the attackers succeed in injecting a seemingly-legitimate object, but whose properties might be used maliciously.
Depending on the application, attackers might be able to modify important data structures or content to escalate privileges or perform unwanted
actions. For example, with an e-commerce application, this could be changing the number of products or prices.
Full application compromise
In the worst-case scenario, the attackers succeed in injecting an object triggering code execution.
Depending on the attacker, code execution can be used with different intentions:
- Download the internal server’s data, most likely to sell it.
- Modify data, install malware, for instance, malware that mines cryptocurrencies.
- Stop services or exhaust resources, for instance, with fork bombs.
This threat is particularly insidious if the attacked organization does not maintain a Disaster Recovery Plan (DRP).
Root privilege escalation and pivot
In this scenario, the attacker can do everything described in the previous section. The difference is that the attacker additionally manages to
elevate their privileges as an administrator and attack other servers.
Here, the impact depends on how much the target company focuses on its Defense In Depth. For example, the entire infrastructure can be compromised
through a combination of unsafe deserialization and misconfiguration:
- Docker or Kubernetes clusters
- cloud services
- network firewalls and routing
- OS access control
