OWASP Injection

OWASP TOP 10 Explained: Injection

Injection attacks apply to a wide class of attack vectors that enable an attacker to supply untrusted information to a program that is interpreted by an interpreter as part of an order or demand that changes the execution of that program. Injection assaults are probably the common and most disruptive assaults on web applications. These will result in data-stealing, data lack, lack of credibility, denial of service, and complete network compromise.

An injection is a big concern in online protection. This is classified as the number one protection vulnerability of a web application in the OWASP Top 10 and with a good purpose. Injection attacks, notably SQL injection (SQLi) and Cross-site Scripting (XSS) are not only very serious but are also very common, especially in legacy applications.

Types of Injection

Although SQL injection (SQLi) and Cross-Site Scripting (XSS) is the most frequently spoken about intrusion attacks, they are by definition not the only ones.

Code Injection

Injects a computer code that will perform operating system commands like a user running a web browser. Advanced threats can utilize privilege escalation vulnerabilities to achieve even higher privileges, if necessary, which can contribute to complete machine compromise.

Potential Impact

Full system compromise

CRLF Injection

Injects an unintended CRLF (Carriage Return and Line Feed) character series used to break the HTTP message header and add arbitrary material to the answer object, like Cross-site Scripting (XSS).

Potential Impact

Cross-site Scripting (XSS)

Cross Site Injection

Injects random JavaScript into a legal website or software server that is then implemented within the victim’s window.

Potential Impact

Account impersonation, Run arbitrary JavaScript in the victim’s browser.

Email (Mail command/SMTP) Injection

Injects IMAP / SMTP comments to an email server that is not immediately accessible from a web client.

Potential Impact

Spam relay, Information disclosure

Host Header Injection

Abuses the tacit confidence of the HTTP Host Header to poison password reset features and poison site caches.

Potential Impact

Password-reset poisoning, Cache poisoning

LDAP Injection

Injects LDAP (Lightweight Directory Access Protocol) statements to perform arbitrary LDAP instructions, including approvals and modifications to the contents of the LDAP stack.

Potential Impact

Authentication bypass, Privilege escalation, Information disclosure

OS Command Injection

Injects instructions from the operating system like a computer running a web program. Specific variants of this assault will exploit privilege escalation flaws that could contribute to complete device compromise.

Potential Impact

Full system compromise

SQL Injection (SQLi)

Injects SQL commands that can interpret or change data in a database. Specific variants of this assault may be used to write arbitrary files to the server and also perform OS commands that might contribute to complete device compromise.

Potential Impact

Authentication bypass, Information disclosure, Data loss, data theft, loss of data integrity, Denial of service, Full system compromise.

XPath Injection

Inject data into an application to execute crafted XPath queries which can be used to access unauthorized data and bypass authentication.

Potential Impact

 Information disclosure, Authentication bypass.

Prevention against Injection Attacks

Injections are one of the most commonly used web attack vectors, used to capture sensitive information from organisations. Luckily, there are ways to defend the website from injection attacks.

Parameterized Statements

Programming languages use database drivers to connect to the SQL databases. The driver allows the application to construct and run SQL statements against the database, extract and manipulate data as needed. Parameterized statements guarantee the parameters ( i.e. inputs) provided to SQL statements are interpreted safely.

Object Relational Mapping

Most engineering teams tend to use Object Relational Mapping (ORM) systems to convert SQL outcome sets into more streamlined application objects. ORM tools also imply that developers never have to compose SQL statements in their code – and luckily, these tools utilize parameterized statements under the hood. The most well-known ORM is undoubtedly Ruby on the Rails Active Record system.

Escaping Inputs

When you are unwilling to use parameterized statements or a framework that writes SQL for you, the next better option is to guarantee the certain string characters are correctly escaped in the input parameters.

Stored procedures

Stored procedures require the developer to group one or more SQL statements into a logical unit to create an execution plan. Subsequent executions allow claims to be parametrized automatically. Simply put, this is a type of code that can be stored and used many times later. Therefore, if you decide to run the application, instead of writing it over and over, you should only call the stored method.

Input Validation

The purpose of the validation process is to check whether or not the type of input submitted by the user is allowed. Input validation ensures that the type, length, format, etc are accepted. Only the value that passes the validation can be processed. It helps to counteract any commands that are inserted in the input string. In a way, it’s like looking to see who’s knocking before opening the door.

Conclusion

Get your website or web application checked against injection today. Get your first preliminary scan here, and find more insights about your application or website.

More related content for you

Scroll to top