Injection

Overview

Injection is a risk category that refers to the ability of threat actors to provide malicious input to web applications that result in the app executing unexpected and unwanted commands.

Description

Injection occurs when the app can’t distinguish malicious input from its code. Common injection attacks include SQL injections that insert malicious SQL queries into input fields or JavaScript injections that load malicious code into the client-side of the web app. Injection attacks can lead to various negative outcomes, including denial of service, privilege elevation, and data breaches.

How to Prevent ?

An important strategic element of mitigation is encouraging the use of tools that help to detect injection vulnerabilities in code. Since there are several different injection attacks, you may need more than one tool for thorough testing.

Example Attack Scenarios:

• SQL Injection Attack:  In a SQL injection attack, an attacker can inject malicious SQL queries into input fields, which can lead to unauthorized access, data manipulation, or even complete takeover of the database. For example, an attacker could exploit a vulnerable login form by injecting 'OR '1'='1'--' as the username, circumventing the authentication mechanism.

• Cross-Site Scripting (XSS) Attack:  In a XSS attack, an attacker injects malicious scripts into web pages viewed by other users. This allows the attacker to steal sensitive information, such as login credentials or session cookies, from the unsuspecting users. For example, an attacker could inject a script that redirects users to a fake login page, capturing their credentials.