Several vulnerabilities are there from which you need to stay aware of, and the list of OWASP top 10 has mentioned the most dangerous ones. We are describing each vulnerability/attack people need to be cautious of. You can get to know about XXE attacks and LFI and RFI attacks as well. Now, we are giving answers on what are injection attacks, are there types of injection attacks, and if yes what are they? People usually know just about SQL injection attacks and don’t know about others. So, let’s start.
What are Injection Attacks?
First of all, understand the term injection. This term depicts the way these injection attacks are made. The way an injection passes the liquid medicine to your body or removes blood from your body,similarly these attacks pass some content and fetch information. The difference is these injection attacks are malicious and compromise your data which causes a significant loss to your business.
Injection attacks denote a wide range of attack spectrum through which an attacker can submit different types of input to a program. This input further gets interpreted by the processor considering it as a search query or command and gets executed, generating wrong results. The attacker can hence crash the site or get any confidential data of yours.The oldest and the most treacherous technique for attacking any web application is injection attack. Such injection attacks can cause data loss or theft, denial of service, loss of data integrity, and can also compromise the complete system.
One of the significant problems in security is the injection attack. It is ranked as the first web application Vulnerability in the OWASP top 10,and of course, there is a strong reason behind it. There are various types of injection attacks, but the most widespread and dangerous ones are, SQL injection attack and XSS attack (Cross-Site Scripting). They mostly target the legacy systems.
The injection attacks are considered so dreadful because their attack arena is super big, majorly for the types – SQL and XSS. Moreover, the popularity of the injection attacks got increased in the hacker world because there are numerous free tools, which help the amateur hackers as well. Hence, it becomes easy to try and test their hacking skills through injection attacks. Let’s see the diverse types of injection attacks.
|Type of injection attack
|What does it do?
|What Impact It Causes?
|Injects an unpredicted CRLF (Carriage Return and Line Feed) character sequence that splits the HTTP response header and writes random contents to the response body, also consisting Cross-site Scripting (XSS).
|Damages via cross-site scripting (XSS)
|Email (Mail command/SMTP) injection
|Injects IMAP/SMTP statements to the mail server that is not directly accessible through web application.
|Spam relay & Information disclosure
|Injects LDAP (Lightweight Directory Access Protocol) statements to execute random LDAP instructions like modifying the contents of an LDAP tree and granting permissions.
|Authentication by-pass, Privilege escalation, and Information disclosure
|SQL injection (SQLi)
|Injects SQL commands, which can read, write, or modify data from a database. Advanced deviations of this attack can be writing arbitrary files onto the server and also executing OS commands which can compromise the complete system.
|Information disclosure, Data loss and theft, Authentication bypass, Denial of service, Loss of data integrity, and Full system compromise.
|Injects the application code which executes operating system commands from the system user’s access. Advanced attacks can use privileged escalation weaknesses to acquire even higher privileges like admin.
|Full system compromise
|Cross-site Scripting (XSS)
|Account impersonation and Defacement.
|Host header injection
|Abuses the HTTP Host Header to enter toxic inputs in password-reset functionality and also targets web caches.
|Making Password-reset like functionalities and Caches toxic.
|OS Command injection
|Targets operating system commands by gaining illegal accesses to various systems.
|Full system compromise
|Injects malicious data into an application to execute the coded XPath queries which can help in accessing unauthorized data and by-passing authentication.
These were the various types of injection attacks. Now that you have got to know them, share this knowledge with other people you know so that they could become alert of the same.