Web applications provide convenient digital services that we‘ve come to depend on. But they also expose dangerous vulnerabilities that cyber criminals are eager to exploit. Through a technique called injection, a hacker can submit malicious code or commands directly into a web app‘s interface, fooling it into divulging sensitive data or giving the attacker control.
In this comprehensive guide, we‘ll delve into the 9 most widespread types of injection attacks threatening web apps today. You‘ll learn how each attack infiltrates systems, the resultant devastation, and–most importantly–how to lock these digital doors before the hackers batter them down.
What Is Injection?
Injection refers to the ability for external inputs to manipulate the logic of a web application in unintended, potentially harmful ways. Attackers can insert a wide range of inputs, including:
- Code snippets
- System commands
- Malformed queries
- Scripts
When an app fails to properly sanitize these inputs, the injected payload gets interpreted and executed by the backend database, server, or browser.
This allows hackers to breach authentication, steal or corrupt sensitive data, take over user accounts, deface sites, and more. Over 30% of data breaches are linked to injection attacks, according to Veracode.
#1: SQL Injection
SQL injection targets the database layer of web apps. By inserting malicious SQL statements into input fields, attackers can trick the database into dumping information it shouldn‘t or modifying and deleting records.
The Open Web Application Security Project (OWASP) consistently ranks SQL injection as the top application security threat. Even veteran companies fall prey, as seen in the high-profile attack on American telco T-Mobile in 2022.
The Attack
Here‘s a simplified example of how SQL injection works:
- Attacker enters the input ‘ OR 1=1– into the username field of a login page
- The app constructs the SQL query: SELECT * FROM users WHERE username = ‘‘ OR 1=1–‘ AND password = ‘xxx‘
- Since the injected OR 1=1 code is always true, authentication bypasses and the hacker gains entry
By inputting additional SQL statements, the attacker can now access any of the application‘s back-end data.
Prevention
- Validate and sanitize all user inputs on the server side
- Use prepared statements and parameterized queries
- Apply the principle of least privilege to database accounts
- Carefully check third party components for SQL injection flaws
#2: Command Injection
Command injection inserts system calls into inputs that get passed to the operating system shell, granting the attacker control over server-side processes and environments.
In a notorious 2014 incident, command injection in point-of-sale systems enabled hackers to steal 56 million credit card numbers from Home Depot stores.
The Attack
Web apps commonly use input data to construct system commands, such as starting a process or writing data to a file. An attacker can tamper with that input to inject rogue commands, linked together with connectors like | and ||.
For example, entering ‘127.0.0.1 | ls‘ tricks the app into outputting the server‘s file directory along with the IP address.
Prevention
- Avoid invoking system commands from user input
- Escape or filter special characters from inputs
- Run web apps under low-privilege accounts
- Enable OS protections like ASLR and DEP
#3: Cross-Site Scripting (XSS)
Cross-site scripting enables attackers to inject malicious JavaScript, VBScript, and other types of code into a trusted web app. This gets executed by victim‘s browsers, letting hackers bypass access controls and hijack user accounts.
According to Bugcrowd data, XSS bugs now surpass even SQL injection, found in over 63% of web apps tested in 2021.
The Attack
XSS attacks generally fall under two categories:
Stored XSS: The malicious script permanently resides on the target server. The victim retrieves it when accessing stored data, like message forum posts or CMS content.
Reflected XSS: The script gets reflected back in responses to corrupted HTTP requests. Victims execute it when opening a phishing link or submitting a crafted form.
In both cases, the injected scripts transmit session cookies and other sensitive browser-side data to the attacker.
Prevention
Key defenses include:
- Filter special characters like on output
- Enable HTTP-only cookies
- Use a robust Content Security Policy
- Validate and sanitize all input sources
#4: XPath Injection
XPath injection targets web apps that query back-end XML data, allowing attackers to disclose or alter sensitive information.
Much like SQL injection, it inserts syntactically correct but malicious XPath code into inputs like search boxes and forms. The compromised XPath query then grants unintended data access or modification rights.
Since XPath queries universally work across platforms, this attack poses a serious threat to XML-reliant enterprise apps. Researchers found over 13,000 vulnerable mobile apps on the Google Play Store susceptible to automated XPath injection tools.
The Attack
Suppose an XML document stores user data like so:
<users>
<user>
<name>John</name>
</user>
<user>
<name>Jane</name>
</user>
</users>
The XPath query //users/user[name/text()=‘John‘] would extract John‘s data.
But if the name parameter comes from unchecked user input, injecting ‘ or 1=1 or ‘‘=‘ would return all user records. This exposes sensitive account information to the attacker.
Prevention
Key measures include:
- Validate user input with whitelist allowlists
- Use parameterized XPath queries
- Restrict account read/write access to XML data
- Apply cryptographic access controls to sensitive records
#5: Mail Command Injection
Network-connected servers feature command consoles that admins use to monitor mail traffic and apply policies through special IMAP/SMTP syntax. Mail command injection exploits these consoles by injecting harmful mail server commands.
Hackers can leverage compromised mail servers for sending spam, harvesting users‘ email, and launching broader network attacks. According to threat intelligence firm Recorded Future, exploitation of vulnerable Exim and Postfix SMTP servers tripled from 2020 to 2021.
The Attack
Injecting something as simple as ‘;pwd‘ after an email address would make the mail server execute the print working directory command, exposing sensitive filesystem information.
More advanced injections via malicious email attachments could allow complete remote takeover through a bash shell.
Prevention
Recommended safeguards:
- Filter special characters like ; , | ( ) $
- Install the latest security patches
- Use a sandboxed environment for email services
- Monitor attachments for malware
#6: CRLF Injection
CRLF injection gets its name from the carriage return (CR) and line feed (LF) control characters it employs. By injecting CRLF sequences into input data, attackers can trick apps into interpreting it as more than one HTTP request.
Consequences include cache poisoning, request smuggling, and vulnerability to secondary attacks like cross-site scripting.
The Attack
For instance, suppose an app checks Referer headers to allow only internal traffic. An attacker could bypass it with:
GET /page HTTP/1.1%0d%0aReferer: %0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aContent-Length:%2019%0d%0a%0d%0aalert(1)
The CRLF characters {%0d%0a} injected into the header fool the app into treating this as two requests, with the second containing arbitrary malicious content.
Prevention
Key measures:
- Validate headers to contain only allowed values
- Limit header lengths
- Filter CRLF characters from inputs
#7: Host Header Injection
Servers often host multiple web apps or sites under the same IP address. The Host header specifies which one receives the request. Attackers can exploit this by sending crafted HTTP Host headers to bypass authentication, access other virtual hosts, and more.
The Attack
Suppose example.com and admin.example.com map to the same IP. The admin site might be blocking traffic from certain countries.
An attacker can circumvent that by sending requests with the Host: admin.example.com header, using a VPN to mask their true origin.
Scanning tools like Voivode and Crimson make finding and exploiting Host header vulnerabilities fast and easy.
Prevention
Essential precautions:
- Validate Host values against a whitelist
- Isolate sensitive hosts on separate infrastructure
- Use firewalls to restrict access to management interfaces
#8: LDAP Injection
Web apps commonly connect to LDAP directories to authenticate users and access shared resources. Malformed LDAP queries allow attackers to dump password hashes, escalate privileges, compromise accounts, and more.
A key challenge is that LDAP query syntax varies across implementations, hindering defensive coding efforts.
The Attack
By inserting LDAP meta-characters like *()|& into inputs, attackers can modify queries to return more information than intended.
For example, crafting a username like ‘*‘ or 1=1#‘ can trick the directory into releasing records of other users. Chaining these injections enables attackers to pull off privilege escalation to compromise credentials.
Prevention
Recommended measures:
- Validate and sanitize all LDAP inputs
- Use placeholders instead of string concatenation
- Restrict LDAP account privileges
- Monitor directories for anomalies
#9: Server-Side Template Injection
Modern web frameworks like Django and Handlebars use template engines to dynamically generate HTML and other outputs. Attackers can terminate the template logic by injecting tags and code that gets parsed by the engine.
Depending on context, this grants access to restricted functionality, sensitive records, or a remote code execution payload.
Researchers detected over 30,000 Django-based web servers vulnerable to some form of template injection as of 2021. Major companies like Instagram, Pinterest, Spotify, and Uber have fallen victim in recent years.
The Attack
Consider a Jinja2 template that displays user information:
{% set user = "John" %}
{{users[user].name}}Input like {{users.globals.builtins.import(‘os‘).popen(‘id‘).read() }}"} would allow arbitrary command execution on the server.
Classified as "success" in OWASP‘s top ten web app risks for 2021, template injection attacks continue escalating.
Prevention
- Use auto-escaping with web template engines
- Validate and encode dynamic values
- Restrict template engine access privileges
- Continuously scan for vulnerabilities
Locking Down Web Apps for Safety
As web apps expand in complexity, so too do threats against them. But with vigilance and secure coding, these injection risks can be stemmed.
Protect your web presence and users by:
- Validating and sanitizing external inputs
- Applying the principle of least privilege
- Using prepared statements and parameterized queries
- Implementing defense in depth measures
- Retaining third-party pen testing services
Implement these injection prevention best practices across your systems. Combine them with robust monitoring to deny attackers that first crucial foothold.
