infosecgirls
Appsec
Appsec
  • Introduction
  • Application Details
    • VM - Pre-req
    • Import Virtual Machines
    • Access Mutillidae Web Application
  • INITIAL SETUP WITH OWASP ZAP
    • OWASP ZAP
    • Setup OWASP ZAP
    • Modes
    • Automated Scan
    • Report Generation
  • Initial Setup with Burp
    • Start Burp Suite
    • Add FoxyProxy Addon
    • Add New Proxy In FoxyProxy
    • Configure Proxy Listener
    • Install Burp's CA Certificate In Firefox
    • Getting Rid of Unnecessary Browser Traffic
  • Quick Basics
    • Disable Intercept Mode in Burp
    • Enable Intercept Mode in Burp
    • Send to Repeater
    • Send to Comparer
  • Web Application Pentesting
    • A1 - Injection
      • SQL Injection with bWAPP
      • SQL Injection in DVNA
      • Command Injection in DVNA
    • A2 - Broken Authentication
      • Broken Authentication with bWAPP
    • A3 - Sensitive Data Exposure
      • Sensitive Data Exposure - DVNA
    • A4 - XML External Entities (XXE)
      • XML External Entity (XXE) Injection - Mutillidae
      • XML External Entity (XXE) Injection - DVNA
    • A5 - Broken Access Control
      • Broken Access Control - DVNA
    • A6 - Security Misconfiguration
      • Security Misconfiguration in DVNA
      • Security Misconfiguration in Mutillidae
      • Security Misconfiguration in Security Shepherd
    • A7 - Cross-Site Scripting (XSS)
      • Reflected XSS
      • DOM XSS
      • Stored XSS - Mutillidae
      • XSS - Sending data to remote server
    • A8 - Insecure Deserialization
      • Insecure Deserialization - DVNA
    • A9 - Using Components with Known Vulnerabilities
      • Using Components with Known Vulnerabilities - DVNA
    • 10 - Insufficient Logging & Monitoring
    • References
    • About Us
  • Additional Content
    • Insecure Direct Object Reference
    • Security Misconfiguration
    • Password Guessing Attack
    • User Enumeration
      • Unauthenticated User Access
      • Create a New User
      • Authenticated User Access
      • Intruder: Set Positions
      • Intruder: Define Payload
      • Intruder: Configure Grep - Extract
      • Trigger Attack & Save Results
    • Custom Iterator
    • Null Payload
    • Request in Browser: Privilege Escalation Check
  • Burp Extenders
    • Target
    • Proxy
    • Intruder
    • Repeater
    • Sequencer
    • Decoder
    • Comparer
    • Extender
Powered by GitBook
On this page
  • What is Injection?
  • Types of Injections

Was this helpful?

  1. Web Application Pentesting

A1 - Injection

What is Injection?

In simple words, an injection attack is one in which databases and other systems are vulnerable to such an extent that an attacker can inject malicious or untrusted data into the system. This occurs when untrusted data is sent to an interpreter as part of a command or query. Basically, the attacker's data tricks the interpreter into executing commands without adequate authorization.

If this is not already troubling, the added trouble happens when this data can flow down to clients and end users too, thus inflicting damage through malware, viruses or other security problems.

Types of Injections

Depending on the type of database system, the programming language and other factors, there can be many different types of injections:

Injection Flaws include, but are not limited to:

  • LDAP Queries

  • SQL Queries

  • XPath Queries

  • Program Arguments

  • OS Commands

The fact that there are so many possibilities is itself a major reason why it is extremely difficult for developers and system admins to locate the exact point of injection.

PreviousSend to ComparerNextSQL Injection with bWAPP

Last updated 5 years ago

Was this helpful?