Top 5 Most Dangerous Injection Attacks

Fri, 15 May 2020 - by Zbigniew Banach

Injection attacks exploit a variety of vulnerabilities to supply untrusted user input which the application then executes. Let’s take a look at our top 5 injection attacks to see how they work and what you can do to prevent them.

Top 5 Most Dangerous Injection Attacks

Injection attacks exploit a variety of vulnerabilities to supply untrusted user input which the application then executes. Injections are among the most common and dangerous attack vectors in web application security. Let’s take a look at our subjective top 5 injection attacks to see how they work and what you can do to prevent them.

Injection attacks

What Are Injection Attacks?

Injection vulnerabilities are a very broad category that includes all the most serious web application security risks. In fact, the OWASP Top 10 lists injection as the #1 vulnerability category. Despite the variety of attack vectors, the common factor is that unvalidated user input is used directly in application code. Depending on the type of vulnerability and goal of attack, an attacker might inject database queries, JavaScript code, operating system commands, and so on. The consequences of a successful injection attack may include information disclosure, for example exposing login credentials and other sensitive data to the attacker, denial of service, and even complete compromise of the target system.

1. SQL Injection

The vast majority of web applications are backed by databases, and most of the popular database management systems use SQL (Structured Query Language) as the data access language. To perform an SQL injection attack, a malicious hacker includes an SQL query (or another SQL statement) in information that is entered into a web form, comment field, query string or another input channel accessible to the user.

If the target application is vulnerable to SQL injection, it will send this data directly to the database. Instead of just storing a comment or retrieving data, the database will execute SQL commands injected by the attacker. Even if the vulnerable application doesn't directly expose data, attackers may use blind SQL injection to indirectly reveal information from the database.

SQL injections are considered one of the most dangerous web application vulnerabilities and are a permanent item on the CWE Top 25 list as weakness CWE-89: Improper Neutralization of Special Elements used in an SQL Command. Netsparker detects all sorts of SQL injection vulnerabilities, including blind SQL injection, Boolean-based SQL injection, and out-of-band SQL injection.

See our SQL injection cheat sheet for a detailed discussion of SQL injection attacks, complete with examples for several popular database management systems.

2. Cross-Site Scripting (XSS)

While it doesn’t have “injection” in its name, cross-site scripting (XSS) is, in essence, a script injection vulnerability. Any web application that fails to validate user-supplied inputs containing JavaScript code could be vulnerable to cross-site scripting (XSS). To exploit an XSS vulnerability, the attacker provides the application with a text string that contains malicious JavaScript, for example by inserting it as a user ID in the URL. Instead of being treated as ordinary text, this code is then executed by the victim’s browser.

XSS attacks can have serious consequences, from redirecting the user to a malicious site to stealing session cookies and taking over the user session. While user input filtering can help to reduce the risk of a successful attack, there are many ways of evading XSS filters, so writing secure code is the best defense.

XSS is listed in the CWE weakness classification under CWE-79: Improper Neutralization of Input During Web Page Generation and was ranked the #2 most dangerous software weakness in the CWE Top 25 for 2019. Netsparker detects several kinds of XSS vulnerabilities, including stored cross-site scripting and DOM-based cross-site scripting.

3. OS Command Injection

Web applications sometimes need to execute system commands in the underlying operating system. If the application has a command injection vulnerability, attackers can provide their own operating system commands in user inputs. Successful command injection (also called shell injection) can be extremely dangerous, as it can allow the attacker to extract information about the underlying operating system and its configuration or even take complete control and execute arbitrary system commands.

Again, prevention is better than cure, so it’s good practice to avoid calling system commands from web applications wherever possible. For cases where a system command is absolutely necessary, carefully validate user inputs and restrict them by whitelisting.

OS command injection came in at #11 in the CWE Top 25 list as CWE-78: Improper Neutralization of Special Elements Used in an OS Command. Netsparker detects several variants of command injection vulnerabilities, including blind command injection and out-of-band command injection.

4. Code Injection (Remote Code Execution)

For any web application, a large part of the application code is executed on the web server. If the attacker is able to provide application code and get the server to execute it, the application has a code injection vulnerability. For example, if the application is written in PHP, the attacker can inject PHP code which is then executed by the PHP interpreter on the server – this is called an eval injection attack.

Note that code injection is different from OS command injection, although if the interpreter allows system function calls, application code may be injected that executes a system command (effectively achieving OS command injection). If the attacker manages to get remote code execution, the target system should be considered compromised, so this is a critical vulnerability.

Code injection is classified under CWE-94: Improper Control of Generation of Code (#18 on the Top 25 for 2019), with eval injection (CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code) as one of its subtypes. Netsparker detects dozens of code execution and code evaluation vulnerabilities in a variety of programming languages and frameworks.

5. XXE Injection

The final type of injection vulnerability in this compilation is XML external entity (XXE) injection. By exploiting support for legacy document type definitions (DTDs) combined with weak XML parser security, attackers can use specially crafted XML documents to perform a variety of attacks, from path traversal to server-side request forgery (SSRF) and remote code execution. 

Unlike the previous four attacks, this one does not exploit unvalidated user input. Instead, it targets inherently unsafe legacy functionality in XML parsers, so it can be particularly dangerous. If your application processes XML documents, the only way to avoid this vulnerability is to completely disable support for DTDs, or at the very least for external entities.

Attack vectors related to XML external entities were assigned the weakness classification CWE-611: Improper Restriction of XML External Entity Reference and are listed at #4 in the OWASP Top Ten. Netsparker detects XXE injection vulnerabilities, including out-of-band XXE injection.

Preventing Injection Attacks

All but one of the injection attacks listed above rely on untrusted input getting executed by the web application. Unsurprisingly, improper input validation has its own place in the CWE Top 25 list, right up at #3. Careful and thoughtful validation, filtering, and encoding of all user-controlled inputs can help to prevent the vast majority of injection vulnerabilities. To minimize your attack surface, regularly scan your web applications with an industry-leading web vulnerability scanner to make sure that you can eliminate vulnerabilities faster than new ones are introduced.

Zbigniew Banach

About the Author

Zbigniew Banach

Technical Content Writer at Netsparker. Drawing on his experience as an IT journalist and technical translator, he does his best to bring web security to a wider audience on the Netsparker blog and website.