(OWASP) A1-Injection

30 Jan 2018 Web-Pentesting

Injection flaws occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization.

Question 1 – What is Injection?


Ans:-

  • There are many types of injection vulnerabilities, some of the most common include:
    • SQL Injection
      • Error based SQLi
      • Blind SQLi
      • String SQLi
      • Blind Numeric SQLi
      • Blind String SQLi
    • Code injection
    • OS Commanding
    • LDAP Injection
    • XML injection
    • XPATH Injection
    • SSL injection
    • IMAP/SMTP Injection
    • Buffer Overflow
  • All involve allowing untrusted or manipulated request, Commands, or queries to be executed by a web application.
  • SQL injection alone continues to be the most common breach paradigm in 2013.

Question 2 – What are the Risk of Inejection?


Ans:- Injection vulnerability also present some of the most significant risk when effectively exploited. Some of these risk include:

  • Data loss or corruption.
  • Data could be stolen.
  • Unauthorized access.
  • Denial of access.
  • Complete host System takeover.

Question 3 – How to prevent yourself from this vulnerability?


Ans:-

  • Use a Vetted Library or Framework.
  • Use an API which avoids the use of an interpreter (parameterized).
  • Run the application with minimum privileges.
  • Escape all special characters used by an interpreter.
  • Input Validation/Sanitization, white list only allowed characters.

DEMO

~ Hack the World and Stay Noob

Twitter / Hack The Box / CTF Team / Teck_N00bs Community Telegram

Comments

Related Posts