Info Sharing Blog

Sunday, August 30, 2020

OWASP Top 10 : Injection Attacks

August 30, 2020 Posted by jaacostan

Injection Attacks.

 This can be broadly classified in to two major kinds. SQL injection and Command Injection.

SQL Injection : Occurs when the user input is passed to SQL queries. And as a result, the attacker can access the database and do what ever he want. He can manipulate the tables, delete etc. 

Command Injection : This occurs when user input is passed to the the target system as system commands. The attacker is able to execute arbitrary system commands on application servers.

The best way to prevent injection attacks is ensuring that user controlled input is not interpreted as queries or commands. Or simply known as input validation. This can be done in different ways:

Using an allow list: when a user input is sent to the target server, this input is compared to a list of safe input or characters. If the input is marked as safe, then it is processed.
Stripping input: If the input contains suspicious characters, these characters are stripped off before they are processed.
    
Command Injection occurs when server-side code (like PHP) in a web application makes a system call on the hosting machine using commands such as passthru . Such  web vulnerability allows an attacker to take advantage of that made system call to execute operating system commands on the target server. By exploiting the vulnerability, an attacker can spawn a reverse shell to become the user that the web server is running as. Once the attacker has a foothold on the web server, they can start the usual enumeration of your systems and start looking for ways to pivot around.