Injection attacks exploit a spread of vulnerabilities to provide untrusted user input which the appliance then executes. Injections are among the foremost common and dangerous attack vectors in web application security. Let’s take a glance at our subjective top 5 injection attacks to ascertain how they work and what you’ll do to stop them.
What Are Injection Attacks?
1. SQL Injection
The overwhelming majority of web applications are backed by databases, and most of the favored management systems use SQL (Structured Query Language) because the data access language. To perform an SQL injection attack, a malicious hacker includes an SQL query (or another SQL statement) in the information that’s entered into an internet form, comment field, query string, or another input channel accessible to the user.
If the target application is susceptible to SQL injection, it’ll send this data on to the database. rather than just storing a comment or retrieving data, the database will execute SQL commands injected by the attacker. albeit the vulnerable application doesn’t directly expose data, attackers may use blind SQL injection to indirectly reveal information from the database.
SQL injections are considered one among the foremost dangerous web application vulnerabilities and are a permanent item on the CWE Top 25 list as weakness CWE-89: Improper Neutralization of Special Elements utilized in an SQL Command. Netsparker detects all kinds of SQL injection vulnerabilities, including blind SQL injection, Boolean-based SQL injection, and out-of-band SQL injection.
See our SQL injection cheat sheet for an in-depth discussion of SQL injection attacks, complete with examples for several popular management systems.
2. Cross-Site Scripting (XSS)
XSS attacks can have serious consequences, from redirecting the user to a malicious site to stealing session cookies and taking up the user session. While user input filtering can help to scale back the danger of a successful attack, there are some ways of evading XSS filters, so writing secure code is that the best defense.
XSS is listed within the CWE weakness classification under CWE-79: Improper Neutralization of Input During website Generation and was ranked the #2 most dangerous software weakness within the CWE Top 25 for 2019. Netsparker detects several sorts of XSS vulnerabilities, including stored cross-site scripting and DOM-based cross-site scripting.
3. OS Command Injection
Web applications sometimes got to execute system commands within the underlying OS. If the appliance features a command injection vulnerability, attackers can provide their own OS commands in user inputs. Successful command injection (also called shell injection) are often extremely dangerous because it can allow the attacker to extract information about the underlying OS and its configuration or maybe take complete control and execute arbitrary system commands.
Again, prevention is best than cure, so it’s good practice to avoid calling system commands from web applications wherever possible. For cases where a direction is completely necessary, carefully validate user inputs, and restrict them by whitelisting.
OS command injection came in at #11 within the CWE Top 25 list as CWE-78: Improper Neutralization of Special Elements utilized in an OS Command. Netsparker detects several variants of command injection vulnerabilities, including blind command injection and out-of-band command injection.
4. Code Injection (Remote Code Execution)
For any web application, an outsized part of the appliance code is executed on the online server. If the attacker is in a position to supply application code and obtain the server to execute it, the appliance features a code injection vulnerability. for instance, if the appliance is written in PHP, the attacker can inject PHP code which is then executed by the PHP interpreter on the server – this is often called an eval injection attack.
Note that code injection is different from OS command injection, although if the interpreter allows system function calls, application code could also be injected that executes a direction (effectively achieving OS command injection). If the attacker manages to urge remote code execution, the target system should be considered compromised, so this is often a critical vulnerability.
Code injection is assessed under CWE-94: Improper Control of Generation of Code (#18 on the highest 25 for 2019), with eval injection (CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code) together of its subtypes. Netsparker detects dozens of code execution and code evaluation vulnerabilities during a sort of programming languages and frameworks.
5. XXE Injection
The final sort of injection vulnerability during this compilation is an XML external entity (XXE) injection. By exploiting support for legacy document type definitions (DTDs) combined with weak XML parser security, attackers can use specially crafted XML documents to perform a spread of attacks, from path traversal to server-side request forgery (SSRF) and remote code execution.
Unlike the previous four attacks, this one doesn’t exploit unvalidated user input. Instead, it targets inherently unsafe legacy functionality in XML parsers, so it are often particularly dangerous. If your application processes XML documents, the sole thanks to avoiding this vulnerability is to completely disable support for DTDs, or at the very least for external entities.
Attack vectors associated with XML external entities were assigned the weakness classification CWE-611: Improper Restriction of XML External Entity Reference and are listed at #4 within the OWASP Top Ten. Netsparker detects XXE injection vulnerabilities, including out-of-band XXE injection.
Preventing Injection Attacks
All but one among the injection attacks listed above believe untrusted input getting executed by the online application. Unsurprisingly, improper input validation has its own place within the CWE Top 25 list, right up at #3. Careful and thoughtful validation, filtering, and encoding of all user-controlled inputs can help to stop the overwhelming majority of injection vulnerabilities. to attenuate your attack surface, regularly scan your web applications with an industry-leading web vulnerability scanner to form sure that you simply can eliminate vulnerabilities faster than new ones are introduced.