{"id":1876,"date":"2020-08-28T20:04:56","date_gmt":"2020-08-28T14:34:56","guid":{"rendered":"https:\/\/www.tikaj.com\/?p=1876"},"modified":"2024-01-11T11:00:43","modified_gmt":"2024-01-11T05:30:43","slug":"owasp-top-10-explained-injection","status":"publish","type":"post","link":"https:\/\/www.tikaj.com\/blog\/owasp-top-10-explained-injection\/","title":{"rendered":"OWASP TOP 10 Explained:  Injection"},"content":{"rendered":"\n<p>Injection attacks apply to a wide class of attack vectors that enable an attacker to supply untrusted information to a program that is interpreted by an interpreter as part of an order or demand that changes the execution of that program. Injection assaults are probably the common and most disruptive assaults on web applications. These will result in data-stealing, data lack, lack of credibility, denial of service, and complete network compromise.<\/p>\n\n\n\n<p>An injection is a big concern in online protection. This is classified as the number one protection vulnerability of a web application in the <a href=\"https:\/\/owasp.org\/www-project-top-ten\/\" target=\"_blank\" rel=\"noopener\">OWASP Top 10<\/a> and with a good purpose. Injection attacks, notably SQL injection (SQLi) and Cross-site Scripting (XSS) are not only very serious but are also very common, especially in legacy applications.<\/p>\n\n\n\n<p><\/p>\n\n\n\n<h1 class=\"wp-block-heading\">Types of Injection<\/h1>\n\n\n\n<p>Although SQL injection (SQLi) and Cross-Site Scripting (XSS) is the most frequently spoken about intrusion attacks, they are by definition not the only ones.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Code Injection<\/strong><\/h2>\n\n\n\n<p>Injects a computer code that will perform operating system commands like a user running a web browser. Advanced threats can utilize privilege escalation vulnerabilities to achieve even higher privileges, if necessary, which can contribute to complete machine compromise.<\/p>\n\n\n\n<h5 class=\"wp-block-heading\">Potential Impact<\/h5>\n\n\n\n<p>Full system compromise<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>CRLF Injection<\/strong><\/h2>\n\n\n\n<p>Injects an unintended CRLF (Carriage Return and Line Feed) character series used to break the HTTP message header and add arbitrary material to the answer object, like Cross-site Scripting (XSS).<\/p>\n\n\n\n<h5 class=\"wp-block-heading\">Potential Impact<\/h5>\n\n\n\n<p>Cross-site Scripting (XSS)<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Cross Site Injection<\/strong><\/h2>\n\n\n\n<p>Injects random JavaScript into a legal website or software server that is then implemented within the victim&#8217;s window.<\/p>\n\n\n\n<h5 class=\"wp-block-heading\">Potential Impact<\/h5>\n\n\n\n<p>Account impersonation, Run arbitrary JavaScript in the victim\u2019s browser.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong><strong>Email (Mail command\/SMTP) <\/strong> Injection<\/strong><\/h2>\n\n\n\n<p>Injects IMAP \/ SMTP comments to an email server that is not immediately accessible from a web client.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Potential Impact<\/h3>\n\n\n\n<p>Spam relay, Information disclosure<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong><strong><strong>Host Header<\/strong><\/strong> Injection<\/strong><\/h2>\n\n\n\n<p>Abuses the tacit confidence of the HTTP Host Header to poison password reset features and poison site caches.<\/p>\n\n\n\n<h5 class=\"wp-block-heading\">Potential Impact<\/h5>\n\n\n\n<p>Password-reset poisoning, Cache poisoning<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong><strong><strong>LDAP<\/strong><\/strong> Injection<\/strong><\/h2>\n\n\n\n<p>Injects LDAP (Lightweight Directory Access Protocol) statements to perform arbitrary LDAP instructions, including approvals and modifications to the contents of the LDAP stack.<\/p>\n\n\n\n<h5 class=\"wp-block-heading\">Potential Impact<\/h5>\n\n\n\n<p>Authentication bypass, Privilege escalation, Information disclosure<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong><strong><strong>OS Command<\/strong><\/strong> Injection<\/strong><\/h2>\n\n\n\n<p>Injects instructions from the operating system like a computer running a web program. Specific variants of this assault will exploit privilege escalation flaws that could contribute to complete device compromise.<\/p>\n\n\n\n<h5 class=\"wp-block-heading\">Potential Impact<\/h5>\n\n\n\n<p>Full system compromise<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong><strong><strong><strong>SQL Injection (SQLi)<\/strong><\/strong><\/strong><\/strong><\/h2>\n\n\n\n<p>Injects SQL commands that can interpret or change data in a database. Specific variants of this assault may be used to write arbitrary files to the server and also perform OS commands that might contribute to complete device compromise.<\/p>\n\n\n\n<h5 class=\"wp-block-heading\">Potential Impact<\/h5>\n\n\n\n<p>Authentication bypass, Information disclosure, Data loss, data theft, loss of data integrity, Denial of service, Full system compromise.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong><strong><strong><strong>XPath Injection<\/strong><\/strong><\/strong><\/strong><\/h2>\n\n\n\n<p>Inject data into an application to execute crafted XPath queries which can be used to access unauthorized data and bypass authentication.<\/p>\n\n\n\n<h5 class=\"wp-block-heading\">Potential Impact<\/h5>\n\n\n\n<p><strong>&nbsp;<\/strong>Information disclosure, Authentication bypass.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Prevention against Injection Attacks<\/h2>\n\n\n\n<p>Injections are one of the most commonly used web attack vectors, used to capture sensitive information from organisations. Luckily, there are ways to defend the website from injection attacks.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Parameterized Statements<\/strong><\/h3>\n\n\n\n<p>Programming languages use database drivers to connect to the SQL databases. The driver allows the application to construct and run SQL statements against the database, extract and manipulate data as needed. Parameterized statements guarantee the parameters ( i.e. inputs) provided to SQL statements are interpreted safely.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong><strong>Object Relational Mapping<\/strong><\/strong><\/h3>\n\n\n\n<p>Most engineering teams tend to use Object Relational Mapping (ORM) systems to convert SQL outcome sets into more streamlined application objects. ORM tools also imply that developers never have to compose SQL statements in their code \u2013 and luckily, these tools utilize parameterized statements under the hood. The most well-known ORM is undoubtedly Ruby on the Rails Active Record system.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong><strong><strong>Escaping Inputs<\/strong><\/strong><\/strong><\/h3>\n\n\n\n<p>When you are unwilling to use parameterized statements or a framework that writes SQL for you, the next better option is to guarantee the certain string characters are correctly escaped in the input parameters.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong><strong><strong><strong>Stored procedures<\/strong><\/strong><\/strong><\/strong><\/h3>\n\n\n\n<p>Stored procedures require the developer to group one or more SQL statements into a logical unit to create an execution plan. Subsequent executions allow claims to be parametrized automatically. Simply put, this is a type of code that can be stored and used many times later. Therefore, if you decide to run the application, instead of writing it over and over, you should only call the stored method.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong><strong><strong><strong><strong>Input Validation<\/strong><\/strong><\/strong><\/strong><\/strong><\/h3>\n\n\n\n<p>The purpose of the validation process is to check whether or not the type of input submitted by the user is allowed. Input validation ensures that the type, length, format, etc are accepted. Only the value that passes the validation can be processed. It helps to counteract any commands that are inserted in the input string. In a way, it&#8217;s like looking to see who&#8217;s knocking before opening the door.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Conclusion<\/h2>\n\n\n\n<p>Get your website or web application checked against injection today. Get your first preliminary scan <a href=\"https:\/\/www.tikaj.com\/contact\/\">here<\/a>, and find more insights about your application or website.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Injection attacks apply to a wide class of attack vectors that enable an attacker to supply untrusted information to a program that [&hellip;]<\/p>\n","protected":false},"author":12,"featured_media":1885,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[13],"tags":[],"class_list":["post-1876","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized-en"],"_links":{"self":[{"href":"https:\/\/www.tikaj.com\/wp-json\/wp\/v2\/posts\/1876","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.tikaj.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.tikaj.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.tikaj.com\/wp-json\/wp\/v2\/users\/12"}],"replies":[{"embeddable":true,"href":"https:\/\/www.tikaj.com\/wp-json\/wp\/v2\/comments?post=1876"}],"version-history":[{"count":3,"href":"https:\/\/www.tikaj.com\/wp-json\/wp\/v2\/posts\/1876\/revisions"}],"predecessor-version":[{"id":10945,"href":"https:\/\/www.tikaj.com\/wp-json\/wp\/v2\/posts\/1876\/revisions\/10945"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.tikaj.com\/wp-json\/wp\/v2\/media\/1885"}],"wp:attachment":[{"href":"https:\/\/www.tikaj.com\/wp-json\/wp\/v2\/media?parent=1876"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.tikaj.com\/wp-json\/wp\/v2\/categories?post=1876"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.tikaj.com\/wp-json\/wp\/v2\/tags?post=1876"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}