Injection vulnerabilities occur when an attacker provides malicious input to manipulate an application into executing unintended commands or queries.
Here are the most common types of injection attacks:
1. SQL Injection
• Target: Databases
• Description: Exploiting vulnerabilities in SQL queries by injecting malicious SQL code.
• Example:
SELECT * FROM users WHERE username = 'admin' AND password = '';
An attacker could use ' OR '1'='1 to bypass authentication:
SELECT * FROM users WHERE username = 'admin' AND password = '' OR '1'='1';
• Target: Operating Systems
• Description: Injecting malicious operating system commands to execute on the server.
• Example:
ping 8.8.8.8; rm -rf /
3. Cross-Site Scripting (XSS)
• Target: Web Browsers
• Description: Injecting malicious JavaScript into web pages viewed by other users.
• Example:
<script>alert('Hacked!');</script>
4. LDAP Injection
• Target: Directory Services (e.g., Active Directory)
• Description: Injecting malicious LDAP queries to manipulate or retrieve unauthorized directory data.
• Example:
Input: *)(userPassword=*)Query:(&(uid=*)(userPassword=*))
5. XML External Entity (XXE) Injection
• Target: XML Parsers
• Description: Exploiting XML parsers to process external entities and access sensitive files or execute malicious commands.
• Example:
<!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]>
<data>&xxe;</data>
6. Code Injection
• Target: Applications
• Description: Injecting malicious code that is interpreted and executed by the application.
• Example:
Python: eval("os.system('rm -rf /')")
7. NoSQL Injection
• Target: NoSQL Databases (e.g., MongoDB)
• Description: Manipulating NoSQL queries to bypass authentication or extract data.
• Example:
Input: { "$ne": null }
8. Server-Side Template Injection (SSTI)
• Target: Templating Engines (e.g., Jinja2, Thymeleaf)
• Description: Injecting malicious template expressions to execute arbitrary code on the server.
• Example:
{{ 7*7 }} => 49
9. CRLF Injection
• Target: HTTP Headers
• Description: Injecting carriage return and line feed (\r\n) characters to manipulate HTTP headers or responses.
• Example:
Input: username=admin\r\nSet-Cookie: session=attacker
10. Host Header Injection
• Target: HTTP Headers
• Description: Manipulating the Host header to control application logic or generate malicious links.
• Example:
Host: attacker.com
11. XPath Injection
• Target: XML Data Stores
• Description: Injecting malicious XPath expressions to manipulate or retrieve XML data.
• Example:
Input: '] | //user/* | ['a'='a
12. Email Header Injection
• Target: SMTP Headers
• Description: Injecting malicious email headers to send spam or phishing emails.
• Example:
To: victim@example.com\r\nBCC: spam@example.com
13. Dependency Injection
• Target: Software Dependencies
• Description: Exploiting vulnerabilities in external dependencies to inject malicious code.
• Example: Malicious libraries or versions in npm or pip.
14. Deserialization Injection
• Target: Serialized Objects
• Description: Exploiting insecure deserialization to execute arbitrary code.
• Example: Modifying serialized data to include malicious payloads.
Preventing Injection Attacks:
• Input Validation: Validate and sanitize all user inputs.
• Parameterized Queries: Use prepared statements or ORM tools to interact with databases.
• Escape Inputs: Escape special characters to prevent unintended execution.
• Least Privilege: Limit application permissions to reduce the impact of a successful attack.
• Security Testing: Regularly test your application for vulnerabilities using tools like OWASP ZAP or Burp Suite.