A Brief Introduction To Injection Attack
Posted By : Abhimanyu Garg | 30-May-2018
This blog provides the information about different type of Injection attacks.
Injection attacks, an attacker allow supplying the unreliable data as input to a program, which gets processed by an interpreter as part of command and query which alters the behavior of the program.
Through injection, an attacker can get the result of Data theft, Data loss, loss of data integrity etc.
Injection is listed as number – one web application security risk in the OWASP top 10. Injections attacks are a very well used to find a vulnerability and to abuse the application, there are countless free available and reliable tools that even used by inexperienced attackers to abuse these vulnerabilities automatically.
Types of Injection Attacks
The following is a list of common injection attacks:
Code injection: In this injection attacker injects the application code which can execute operating system commands as the user running the web application.
CRLF injection: In this injection, the attacker injects an unexpected CRLF character sequence used to break an HTTP response header and write arbitrary contents to the response body, including Cross-site Scripting (XSS).
Email injection: Injects IMAP/SMTP statements to an email server that is not directly available via a web application. eg. Spam relay, Information disclosure
LDAP injection: Lightweight Directory Access Protocol in this attacker modify and get the Authentication Bypass, Privilege escalation, Information disclosure.
SQL injection (SQLi): Injects SQL commands that can read or modify data from a database. Impact on system Authentication bypass, Information disclosure, Data loss, Data theft, Loss of data integrity, Denial of service, Full system compromise.
XPath injection: Inject data into an application to execute crafted X Path Query.
Safety Tips: An ounce of prevention is better than a pound of cure.
Always double check, Design with security, Keep abreast Don’t complicate things, Plug the hole (and sound the alarm)
Abhimanyu has experience in Automation & Manual Testing of web based & desktop application using tool QA Test Complete, Selenium Web Driver. He has worked on different Business Domain - Travelling, Insurance & Accounting.