Types of Injection attacks

Injection attacks are one of the most common attacks we saw in 2020. In fact, injection vulnerability is ranked at number 1 in the OWASP Top Ten Web Application Security Risks. From our scans, we consistently see that websites are vulnerable to these types of attacks, sometimes critically.

Previously the most common attack was the brute force attack, where a bot or a human tries various combinations of characters to crack the ID and password. Injections are a much more sophisticated attack.

Many types of injection attacks can be harmful to your web apps and cause severe loss or damage to the data.

The number of exploited web pages is estimated at 500,000. (en.wikipedia.org)

Injection Attacks FAQ

What types of injection attacks are common?

Some of the most common types of injection attacks are SQL injections, cross-site scripting (XSS), code injection, OS command injection, host header injection, and more.

How do you detect injection vulnerabilities?

The most efficient way to detect injection vulnerabilities, which make injection attacks possible, is by using an automated web vulnerability scanner.

What is an injection attack?

In an injection attack, the attacker can provide malicious input to a web application (inject it).

What can you do to avoid injection attacks?

To avoid injection attacks, you must securely code your web applications to avoid injection vulnerabilities.

What are the best web security tips?

The most important part is: never to trust user input.

What are the common injection attacks?

SQL injections (SQLi) and Cross-site Scripting (XSS) are the most common injection attacks, but they are not the only ones.

What is a CRLF injection?

Full system compromise CRLF injection The attacker injects an unexpected CRLF (Carriage Return and Line Feed) character sequence.

What is the attack?

Injection attack Description Potential impact Code injection The attacker injects application code written in the application language.

What are the vulnerabilities?

In advanced cases, the attacker may exploit additional privilege escalation vulnerabilities, leading to full webserver compromise.

Visual representation of the types of injection attacks

 

Here are some of the most dangerous attacks

SQL Injections

SQL is a query language to communicate with a database. It can be used to perform actions like retrieve, delete and save data in the database. An attacker tries to manipulate the SQL query used in the web application and gain direct access to your data with SQL injection attacks.

For more detailed technical information on SQL injections, refer here.

Code Injection

In this scenario, an attacker might be acquainted with the programming language, the framework used or the operating system.

They can inject code via multiple types of the input field;

Text input, HTTP GET/POST/PUT/DELETE parameters, headers, cookies etc.

And force the webserver to do what they want.

Command Injection

Unlike code injections, command injections only require the attacker to know the operating system used. The attacker inserts a command into your system, and this can compromise the entire system.

The inserted command will execute in the host system, and this can attack any arbitrary files that store passwords in your system or connected servers.

For more detailed information, refer here.

Cross-Site Scripting (XSS)

Whenever an application inserts input from a user within the output it generates, it allows an attacker to send malicious code to a different end-user without validating or encoding it.

Cross-Site Scripting (XSS) attacks take these opportunities to inject malicious scripts into trusted websites, which is ultimately sent to other users of the application, who become the attacker’s victims.

For more detailed information, refer here.
According to various research and studies, up to 50% of websites are vulnerable to DOM Based XSS vulnerabilities. (neuralegion.com)
The above injection types are common attacks on web applications. Protecting your applications can be a huge uphill task for companies or individuals with many web applications and limited developer time. To test your application for SQL Injections, Cross-Site Scripting and the OWASP Top 10 Vulnerabilities, try our free trial and start your first scan in minutes.

Other Common Forms of Injection

(Not covered by the Crashtest Security Suite)

SMTP/IMAP Command Injection

Mail command injections are attacks on mail servers. Most mail servers don’t have a strong level of protection against attacks on IMAP and SMTP.

Host Header injection

When a server hosts many websites, the server eventually needs a host header. Manipulation of such a host header creates an attack that can lead to issues like password resets. Host header injections can also lead to web cache poisoning.

LDAP Injection

LDAP is a protocol designed to facilitate searching resources (devices, files, other users) in a network. It is beneficial for intranets, and when used as part of a single sign-on system, it can store usernames and passwords. This is sensitive area hackers look to attack.

How to detect injection vulnerabilities in your web app?

The modern way to detect an injection vulnerability, you should use an automated web vulnerability scanner. You can also run a manual pentest, depending on how much time, budget and customisation of the attack approach you want. Crashtest Security detects, assesses, and remediates most injection vulnerabilities.

Scan for free now

How to prevent injections?

  • Code your web applications in a secure way to avoid injection vulnerabilities.
  • Don’t trust user input is the most important thing.
  • You can prevent your application from being hacked by controlling and monitoring user input.