OWASP Top 10: Injection

woman at computers
Photo credit: cottonbro

Since the OWASP Top 10 was first introduced in 2003, injection has been prominently ranked with OWASP featuring it as the number one security risk to web applications in the 2010-2017 editions. In the 2021 version, injection remains a serious web application security risk that developers and web application security administrators should be aware of. 

What is an injection attack?

An injection attack occurs when an attacker exploits code that hasn’t been sanitized sufficiently. The code may not have been validated or filtered thus making it insecure and allowing attackers an open opportunity.

When it comes to cybersecurity, an attacker can inject their own malicious code into an application in order to execute remote commands. This can lead to information disclosure (now listed as cryptographic failures by OWASP), authentication bypass, and privilege escalation resulting in data loss, corruption, and breaches. A successful injection can provide attackers with unauthorized access allowing them to view/edit critical information and gain administrator access. 

What are the top injection attacks?

There are several types of injection attacks that can leave an organization vulnerable. These are some of the most common.  

SQL Injection

SQL injection is a web security flaw that allows the attacker to potentially change the SQL queries that are run against the database. This may be used to extract sensitive information such as database structure, tables, and columns, as well as their data set. 

Example: String query = “SELECT \* FROM accounts WHERE custID='” + request.getParameter(“id”) + “‘”; 

A successful SQL injection attack can allow attackers access to passwords, credit card details, personally identifiable information (PII), and more.  

SQL injection breaches & vulnerabilities

2007 — Hackers used a SQL injection attack to infiltrate the network of 7-Eleven to steal an unknown amount of credit card data. The same group later attacked other companies including Heartland, a large U.S. credit card payment processing firm.  

 2019 — Several vulnerabilities were found in the highly popular game, Fortnite, including one that left the system at risk of SQL injection attacks that could compromise user privacy. This vulnerability was identified and patched before any known exploitation occurred.  

Cross Site Scripting (XSS)

Cross-site scripting (XSS) is an online application vulnerability that enables a third party to run a script in the user’s browser on behalf of the web application. Malicious scripts can be delivered in the form of JavaScript code that the victim’s browser executes. Exploits can incorporate malicious executable code in many other languages, including Java, Ajax, and Hypertext Markup Language (HTML) 

 Example: <script>alert(‘XSS’)</script> 

XSS injection breaches & vulnerabilities

2015-2017 — eBay had a severe XSS vulnerability which allowed attacked to gain full access to seller accounts allowing them to sell products at a discount and steal payment details. This was used by attackers to drastically reduce prices of high-value products like vehicles. The vulnerability was discovered in 2016, however, attacks continued until 2017.  

2018 — British Airways was attacked by a high-profile hacker group who exploited an XSS vulnerability in a JavaScript library used on the British Airways website. This resulted in the group successfully skimming credit card information on 380,000 booking transactions before the breach was uncovered. 

OS Command Injection

OS command injection is a vulnerability that allows an attacker to execute arbitrary commands on the server of a running application. The operating system runs the inserted arbitrary commands with the web server’s privileges. In this type of attack, an attacker might upload malicious programs or obtain passwords.  

Example: & ping -c 10 & 

How to protect against breaches & vulnerabilities

All operating systems are vulnerable to these types of attacks. Developers can identify, test, and remediate these issues by using the OWASP injection prevention cheat sheet. 

LDAP Injection

LDAP injection exploits web sites that construct LDAP (Lightweight Directory Access Protocol) statements from data provided by users. When an attacker adds harmful statements into a query, the server receives malicious LDAP queries, which has security consequences. If an attacker is successful in the LDAP injection, the attacker will have access to unauthorized information and can modify the structure of LDAP. 

 Example: (&(USER=Uname)(PASSWORD=Pwd)) 

How to protect against breaches & vulnerabilities

By far the most common type of LDAP injection attack is a filter injection. This allows hackers to obtain large, categorical data sets instead of single entries. This then opens the door to a simple and effective denial of service (DoS) attack.  

CRLF Injection

In a CRLF (Carriage Return Linefeed) injection the attack injects an unexpected CRLF character sequence. The application then returns the attacker’s CRLF sequence with adjacent data provided by the hacker as a form of header response. 

 Example: fname<CR><LF>/bin/rm -rf / 

How to protect against breaches & vulnerabilities

CRLF injections exploit vulnerabilities in the application layer and can help to facilitate other types of attacks including XSS injection, proxy or web cache poisoning, website defacement, and more.

Host Header Injection

The value of this header is used by the web server to send the request to the specified website or online application. If the attacker sends an arbitrary host to the actual virtual host, this could result in web-cache poisoning and execution of unauthorized operations like password reset. 

 Example: <a href=”https://_SERVER[‘HOST’]/support”>Contact support</a> 

How to protect against breaches & vulnerabilities

Servers that implicitly trust the Host header can be open to attackers. The header is a user-controlled variable, so it is crucial that servers validate and/or escape it properly to avoid allowing an attacker to inject harmful payloads.  

Mail Command Injection

Mail command injection is a type of attack that targets mail servers and webmail apps that generate IMAP/SMTP commands from user-supplied data that has not been properly filtered. 

 Example: From:sender@domain.com%0ASubject:This is%20Fake%20Subject 

How to protect against breaches & vulnerabilities

An IMAP/SMTP injection may allow access to a mail server that was previously inaccessible. Because these can be internal systems, these may not have the same level of security hardening as front-end web servers which can give attackers an advantage.  

How to prevent injection attacks

Authorize users 

Injection attacks are often aimed at servers and software that are accessible to anybody on the internet. To prevent these attacks, it is important to securely authorize users with methods like MFA (multifactor authentication) and audit systems on a regular basis. 

 Unrestricted file uploads 

Files can contain malicious software. Review the file upload functionality so that file types and extensions supported are only those that are necessary for business functionality. Do not allow for a filename and its extension directly without having an allow list filter. 

 Data validation 

Input validation ensures that only properly formatted input enters an information system’s process, preventing inaccurate and malicious data from remaining in the database. Developers can validate data by comparing the data value against the defined set of rules and analyze information within required parameters.   

Configure parameters 

Always use prepared statements for compiling a query. This method helps distinguish the code from input data. Prepared statements that are used for compiling a query will limit variables on incoming SQL commands to avoid piggybacking the malicious injection by cybercriminals. 

 Review configurations 

Review the software your application uses and stay on top of patching. Outdated technologies could be vulnerable to attacks. JavaScript and jQuery plugins are examples of such vulnerable technologies. 

What are the facts?

  • SQL injection was first discovered in 1998 
  • 20.3% of all vulnerabilities found on all unauthenticated assessments are Web Application related vulnerabilities 
  • 12% of all internal vulnerabilities are SQL injection attacks 
  • 42% of all internet-facing critical vulnerabilities are SQL injection attacks 
  • 19% of internet-facing critical vulnerabilities are Cross Site Scripting (XSS) attacks 
  • 14.4% of all vulnerabilities across the full stack are injection attacks  

Protect your organization from injection attacks

Foresite Cybersecurity makes it easy to find, address, and remediate gaps in your security including those that make you vulnerable to injection attacks. Find out more about our cyber risk compliance consulting solutions or contact us today!  

James Clements
Security+, Network + Security Associate at Foresite Cybersecurity | + posts

After 10 years in various IT Support roles Mr. Clements made the move into IT Security starting off as a Security Analyst. As a Security Analyst Mr. Clements provided log analysis on Firewalls, Windows Servers and End Points as well as performing change requests on Firewalls. As part of his role Mr. Clements was also a technical account manager for various SME/Public Sector customers providing detailed reporting on logs, incidents as well as providing security recommendations to harden their security posture.

Mr. Clements has since made the move into Consulting and Compliance services and performs Internal and External penetration testing and vulnerability assessments as well as Web application and Mobile application testing for both authenticated and un-authenticated applications.

Sign up for our Newsletter

Receive weekly emails for the latest cybersecurity news

Expand your team with Foresite

Enterprise-level cybersecurity and risk management for mid-sized businesses. Prioritize your security tasks and reduce the complexity of cybersecurity.