Open In App

What are Injection Flaws?

Last Updated : 15 Jun, 2022
Improve
Improve
Like Article
Like
Save
Share
Report

An injection flaw is a vulnerability in that applications allow an attacker to relay malicious code through an application to another system. It allows hackers to inject client-side or server-side commands. These are the flaws through which hackers can take control of web applications. Depending on the type of vulnerability an attacker might inject SQL queries, javascript or os commands, and so on. 

Injection Flaws diagram

 

Effects of Injection Flaws:

  • Allows an attacker to compromise the victim’s system.
  • Allows hackers to execute malicious codes.
  • Allows attackers to do attacks cross-site attackers request forgery (The website did not see that the request actually originated from hackers or by itself).
  • Allows hackers to compromise databases.
  • Arbitrary file upload vulnerability may result in compromise of the entire database.
  • Loss of confidentiality, integrity, and availability.

 Improper Input Sanitization:

Hacker exploits the web application with malicious commands, codes or tokens, etc., and the web application passes and executes this data entered by the hacker without sanitizing. This allows hackers to gain access to the application.

Let’s look at the example below,

Web Application                                                         Application Server

login page(hacker enters malicious code here)—–> malicious code entered into the server                                                    

This is how hacker enters malicious code into the web application, we should always sanitize request before sending them to the server. 

Preventions from Improper Input Sanitization:

  • Sanitize input after receiving it from the user. 
  • Use an appropriate server-side filter.
  • Input should be validated at both client and server sides.

 Improper Output Sanitization?

Hacker exploits the web application by injecting malicious commands, codes or tokens, etc. and the application injects this data without sanitization. This allows hackers to control HTTP/HTML responses.

Let’s look at the example below:

         Web Application                    Application Server

                   Hacker   <—————-Response to user input

This allows hackers to analyze the requests and responses.

How to Fix Improper Output Sanitization:

  • Sanitize output before inserting it into HTML/HTTP response.
  • Encode all special characters.

Apply Least privilege:

This will be effective. since a web application runs with only the privileges it needs to perform its function. using root access may harm your device. As a superuser, you have all privileges. This may be an opportunity for a hacker. 

Types of Injection Attacks:

There are so many types of injection attacks. some of them are,

How to Prevent  Injection Flaws:

  • Use of Prepared Statements (with Parameterized Queries)
  • Use of Properly Constructed Stored Procedures
  • Allow-list Input Validation Escaping All User Supplied Input
  • Performing Allow-list Input Validation as a Secondary Defense
  • Use strong web application firewalls to make exploitation difficult 

Like Article
Suggest improvement
Previous
What is Cookie Poisoning?
Next
How to Prevent Broken Access Control?
Share your thoughts in the comments

Similar Reads

How to Protect Against SQL Injection Attacks?
What is CSV Injection?
SQL Injection Cheat Sheet
Types of SQL Injection (SQLi)
How a Connection String Injection Attack is Performed?
What is SQL Injection UNION Attacks?
What is SMTP Header Injection?
XPath Injection
SMTP Injection
Testing For IMAP SMTP Injection

A
akshaysavanoor
Article Tags :
We use cookies to ensure you have the best browsing experience on our website. By using our site, you acknowledge that you have read and understood our Cookie Policy & Privacy Policy
Lightbox