Injection Attack
Understanding Injection Attack Types
Watch How to Stop SQL Injection in Their Tracks
Table of Contents
What is injection?
Injection is #1 on the latest (2017) OWASP Top 10 list. Injection vulnerabilities allow attackers to insert malicious inputs into an application or relay malicious code through an application to another system.
What are the injection attack types?
Injection is involved in four prevalent attack types: OGNL injection, Expression Language Injection, command injection, and SQL injection. During an injection attack, untrusted inputs or unauthorized code are “injected” into a program and interpreted as part of a query or command. The result is an alteration of the program, redirecting it for a nefarious purpose.
Injection attacks can include calls to the operating system via system calls, the use of external programs via shell commands, or calls to backend databases using SQL (i.e., SQL injection). Whenever an application uses an interpreter, there is the risk of introducing an injection vulnerability. Whole scripts written in Perl, Python, and other languages can be injected into a poorly designed application and then executed, giving the attacker control over its behavior.
| Injection attack | Description |
| Code Injection | Code injection is the term used to describe attacks that inject code into an application. That injected code is then interpreted by the application, changing the way a program executes. |
| Cross-Site Scripting | "Cross-site scripting" originally referred to loading the attacked, third-party web application from an unrelated attack-site, executing JavaScript in the security context of the targeted domain where cross-site data theft was the focus. |
| SQL Injection | An SQL injection attack consists of an insertion or injection of a SQL query via the input data from the client to the application. |
| OGNL injection | Object-Graph Navigation Language is an open-source Expression Language (EL) for Java objects. |
| Expression Language Injection | Expression Language Injection (aka EL Injection) enables an attacker to view server-side data and other configuration details and variables, including sensitive code and data (passwords, database queries, etc.) |
| Command injection | With a command injection attack, the goal is to hijack a vulnerable application in order to execute arbitrary commands on the host operating system. |
