web app attacks
29
Jan

6 Most feared web application attacks and how to beat them – Part 2 (Injection)


Web application attacks usually start by accepting commands from users and retrieving the related data from the back-end database. This secured interaction varies from one programming language to another. The low-level interaction between user and web application does not consider the structure of the output language. Thus, leaving the applications vulnerable to several kinds of cyber threats.

Continuing the earlier blog, which covered session hijacking, an attack method that generally targets browser sessions and web applications, here, we will discuss another web application attack – injection attacks. An injection attack is a class of attack vectors, and SQL injection is a prevalent form of it. Under injection attacks, threat actors try altering the intention of a programmed code by inserting untrusted input to a program.

“SQL injection attacks are a top web application threat, accountable for two-third of attacks between January to September 2019.”

An old, yet still used form of web application attack – Injection attack

Injection attacks are one of the oldest and most dangerous forms of cyberattacks. They are capable of data loss, denial of service (DoS), system compromise, and data theft. As studied from long back, these attacks occur due to insufficient user input validation. They can take different forms, which include –

Form of Injection Attack Description Impact
Code Injection When a web application is injected with a malicious code, making it capable of controlling OS commands. System compromise
Cross-Site Scripting (XSS) It usually occurs in applications written in JavaScript. An arbitrary script is introduced within the original script. Account impersonation

Data theft

Defacement

LDAP Injection When a cybercriminal inserts an LDAP (Lightweight Directory Access Protocol) statement to modify the contents of the LDAP tree. Authentication bypass

Data exposure

Gaining unauthorized privileges

OS Command Injection A cyber attacker uses the privileges of an authorized person to introduce malign OS commands. System compromise
XPath Injection Altering XPath queries by adding arbitrary code to the original statement. Information disclosure

Authentication bypass

Before we start with SQL injection, check out this informational video by Jaime Manteiga, an Information Security Professional and Researcher, where he talks about why web applications are targeted frequently:

Another form of Injection Attack – SQL Injection (SQLi)

SQL injection is a type of injection attack. Under this, the threat actor injects malicious SQL queries into the targeted web applications. These statements then gain unauthorized access to the database server behind the targeted web application. Attackers can bypass authentication and authorization pages to either control the application or retrieve the sensitive data from the linked database. They can also alter the original data. Applications using SQL databases such as MySQL, Oracle, SQL Server, and others are more susceptible to SQL injections.

Which vulnerability can lead to SQL injection attacks?

After cybercriminals detect a SQL injection vulnerability, they abuse input content to penetrate the application.

How can you stop SQL injection attacks?

  • Input validation and parameterized queries can prevent SQL injection attacks from happening.
  • To secure an application, it should not be accepting user input directly.
  • The developer should keep a sanitization layer before the input data can access the database.
  • Ensure that the database errors are not visible at the production sites.

What are the skills required to combat SQL injection attacks?

A security professional who has a basic computer networking knowledge to understand how web applications work would make a great prospect for the job. Along with this, the concerned security staff should also have the comprehensive skills to access a Database Management System (DBMS) and penetrating the web applications.

In the next part of the series, you will get to learn about cross-site scripting (XSS). The blog will discuss the vulnerabilities that are capable of leading to an XSS attack and how to stop them in advance.

If you want to contribute as a security professional, you need to have a credible professional background. Licensed Penetration Tester (L|PT) Master tests your skills and abilities in different forms. Thus, ensuring the recruiters and management board of an organization that you possess everything that they are looking for in a penetration tester. As L|PT (Master) is an online, remotely proctored exam, it is well acclaimed amongst the recruiters from all around the globe.

Faqs

What can be caused by injection attacks?
Injection attacks are capable of causing data loss/theft, denial of service, or full system compromise.

Read more: Most Common Cyber Vulnerabilities Part 1 (Injection Flaws)

What is SQL injection? (Explanation with an example)
An SQL injection is a type of injection attack where cyber attacker inserts malicious SQL queries as data input to gain unauthorized access. A few common examples include retrieval of hidden data or UNION attacks that can access database tables.

Read more: What is an SQL Injection Attack? How Can You Prevent It?

Why do hackers use SQL injection?
SQL injection attacks help the hackers to gain access to privileged/authorized parts of a database. This can be achieved by introducing malicious SQL queries as input to the original code.

Read more: Ethical Hackers: Get Paid to Break Into Computers

Certified Ethical Hacker
get certified from ec-council
Write for Us