A1 - Injection

What is Injection?

In simple words, an injection attack is one in which databases and other systems are vulnerable to such an extent that an attacker can inject malicious or untrusted data into the system. This occurs when untrusted data is sent to an interpreter as part of a command or query. Basically, the attacker's data tricks the interpreter into executing commands without adequate authorization.

If this is not already troubling, the added trouble happens when this data can flow down to clients and end users too, thus inflicting damage through malware, viruses or other security problems.

Types of Injections

Depending on the type of database system, the programming language and other factors, there can be many different types of injections:

Injection Flaws include, but are not limited to:

• LDAP Queries

• SQL Queries

• XPath Queries

• Program Arguments

• OS Commands

The fact that there are so many possibilities is itself a major reason why it is extremely difficult for developers and system admins to locate the exact point of injection.