Crashtest Security Blog

What are the different types of Injection Attacks?

Jul 22, 2020 11:45:00 AM / by Hitesh Raja

 

Types of Injection attacks

Injection attacks are one of the most common attacks we see in 2020. In fact, injections are ranked at number 1 in the OWASP Top Ten Web Application Security Risks. From our scans we consistently see that websites are vulnerable to these types of attacks, sometimes critically.

Previously the most common attack was the brute force attack where a bot or a human tries various combinations of characters to crack the ID and password. Injections are a much more sophisticated attack.

There are many types of injection attacks that can be harmful for your web apps and cause severe loss or damage to the data.

Here are some of the most dangerous attacks:

Screenshot 2020-07-17 at 13.56.45

 

SQL Injection

SQL is a query language to communicate with a database. It can be used to perform actions like retrieve, delete and save data in the database. With SQL injection attacks an attacker tries to manipulate the SQL query used in the web application and therefore gain direct access to your data.

For more detailed technical information refer here

 

Code Injection

In this scenario, an attacker might be acquainted with the programming language, framework used or operating system used. 

They can inject code via multiple types of input field;

Text input, HTTP GET/POST/PUT/DELETE parameters, headers, cookies etc.

And force the web server to do what they want.

 

Command Injection

Unlike code injections, command injections only require the attacker to know the operating system used. The attacker inserts a command into your system and this can compromise the entire system.

The inserted command will execute in the host system and this can attack any arbitrary files that store passwords in your system or connected servers.

For more detailed information refer here

 

Cross-Site Scripting

Whenever an application inserts input from a user within the output it generates, without validating or encoding it, it gives the opportunity to an attacker to send malicious code to a different end-user.

Cross-Site Scripting (XSS) attacks take these opportunities to inject malicious scripts into trusted websites, which is ultimately sent to other users of the application, who become the attacker’s victims.

For more detailed information refer here

 

The above injection types are common attacks on web applications. Protecting your applications can be a huge uphill task for companies or individuals with a lot of web applications and limited developer time. In order to test your application for SQL Injections, Cross-Site Scripting and the OWASP Top Ten Vulnerabilities try our free trial and start your first scan in minutes.

 

Other Common Forms of Injection (Not covered by the Crashtest Security Suite)

 

SMTP/IMAP Command Injection

Mail command injections are attacks on mail servers. Most mail servers don’t have a strong level of protection against attacks on IMAP and SMTP.

Host Header injection

When a server hosts many websites, the server eventually has a need for a host header. Manipulation of such a host header creates an attack that can lead to issues like password resets. Host header injections can also lead to web cache poisoning.

LDAP Injection

LDAP is a protocol designed to facilitate the search of resources (devices, files, other users) in a network. It is very useful for intranets, and when used as part of a single sign-on system, it can be used to store usernames and passwords. This is a sensitive area hackers look to attack.


Topics: WebApplicationSecurity, Cybersecurity

Hitesh Raja

Written by Hitesh Raja

For more information on all topics around continuous security, visit our continuous security page:

Continuous Security Topics